HAFNIUM, also known as Silk Typhoon, is a threat actor group originating from China that has been involved in several significant cyber-attacks. They have exploited vulnerabilities in Microsoft Exchange Server software and Zoho products, using methods such as web shells for remote access and unconventional techniques to tamper with scheduled tasks for establishing persistent connections. One notable method involves modifying registry keys in their Tarrask malware to establish persistence and conceal malicious activity on infected endpoints. HAFNIUM has also used the Windows Task Scheduler to execute hidden scheduled tasks, allowing their malware to evade detection.
In March 2021, the Exchange Server team released a script to check for HAFNIUM indicators of compromise (IOCs). The group's activities were marked by executing encoded PowerShell commands and using the type command to view the contents of possible webshell files named outlooken.aspx. Rapid7 observed the execution of Procudmp.exe commands via the China Chopper webshell, writing the memory contents of the lsass.exe process to disk. Furthermore, traces tying HAFNIUM to the ShadowPad malware and UNC2643 activity were found, along with Cobalt Strike beacons. The filename system_web.aspx was identified as a known IOC of Hafnium.
The level of escalation in the use of exploits by HAFNIUM and its subsequent use by other actors suggests that the same exploit may have been shared or leaked. This was evidenced by the observation of exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. In 2021, there was a surge in incidents due to HAFNIUM exploiting a Microsoft Exchange Server bug. However, the numbers for the first half of 2023 were significantly higher than the second half of 2022 when cyber incident reports almost ground to a halt.
Description last updated: 2024-11-28T11:44:57.374Z