HAFNIUM

Threat Actor updated 23 days ago (2024-11-29T14:31:36.985Z)
Download STIX
Preview STIX
HAFNIUM, also known as Silk Typhoon, is a threat actor group originating from China that has been involved in several significant cyber-attacks. They have exploited vulnerabilities in Microsoft Exchange Server software and Zoho products, using methods such as web shells for remote access and unconventional techniques to tamper with scheduled tasks for establishing persistent connections. One notable method involves modifying registry keys in their Tarrask malware to establish persistence and conceal malicious activity on infected endpoints. HAFNIUM has also used the Windows Task Scheduler to execute hidden scheduled tasks, allowing their malware to evade detection. In March 2021, the Exchange Server team released a script to check for HAFNIUM indicators of compromise (IOCs). The group's activities were marked by executing encoded PowerShell commands and using the type command to view the contents of possible webshell files named outlooken.aspx. Rapid7 observed the execution of Procudmp.exe commands via the China Chopper webshell, writing the memory contents of the lsass.exe process to disk. Furthermore, traces tying HAFNIUM to the ShadowPad malware and UNC2643 activity were found, along with Cobalt Strike beacons. The filename system_web.aspx was identified as a known IOC of Hafnium. The level of escalation in the use of exploits by HAFNIUM and its subsequent use by other actors suggests that the same exploit may have been shared or leaked. This was evidenced by the observation of exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. In 2021, there was a surge in incidents due to HAFNIUM exploiting a Microsoft Exchange Server bug. However, the numbers for the first half of 2023 were significantly higher than the second half of 2022 when cyber incident reports almost ground to a halt.
Description last updated: 2024-11-28T11:44:57.374Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Exploit
State Sponso...
Vulnerability
Malware
Exploits
Zero Day
Apt
Espionage
exploited
Iis
Windows
exploitation
Web Shell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The China Chopper Malware is associated with HAFNIUM. China Chopper is a well-known malware that has been used extensively by Chinese-speaking actors, including the BRONZE UNION group. The malware is designed to exploit and damage computer systems, often without the knowledge of the user. It can infiltrate systems through suspicious downloads, emails, Unspecified
2
Source Document References
Information about the HAFNIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
24 days ago
ESET
7 months ago
DARKReading
8 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
Naked Security
2 years ago