SafeBreach Labs has updated the Hacker’s Playbook™ with new attack methods for malware samples described in US-CERT Mitigate Microsoft Exchange Server Vulnerabilities which addresses multiple zero-day vulnerabilities that a newly identified Chinese state-sponsored threat group, Hafnium, has successfully exploited. The vulnerabilities are used against on-premise Microsoft Exchange Servers 2013, 2016, and 2019 to access all user email accounts. The attackers executed arbitrary code on vulnerable Exchange Servers, gaining persistent system access, as well as accessed files, mailboxes, credentials and moved laterally to exfiltrate data and added new users. The vulnerabilities are being used to steal the full contents of user mailboxes without requiring authentication.
Listen to the details of the attack from SafeBreach Labs’ Tomer Bar:
8 newly developed playbook methods related to AA21-062A:
#5977 – Communication with exchange_exploit using HTTP (Infiltration)
#5978 – Write reGeorg_webshell malware to disk (Host-Level)
#5979 – Transfer of reGeorg_webshell malware over HTTP/S (Lateral Movement)
#5980 – Transfer of reGeorg_webshell malware over HTTP/S (Infiltration)
#5981 – Email reGeorg_webshell malware as a ZIP attachment (Lateral Movement)
#5982 – Email reGeorg_webshell malware as a ZIP attachment (Infiltration)
#5983 – Exploitation of CVE-2021-26855 external Exchange server (Infiltration)
#5984 – Exploitation of CVE-2021-26855 internal Exchange server (Infiltration)
3 existing playbook methods related to AA21-062A:
#1338 – Remote command execution by PSExec (Infiltration)
#1339 – Remote command execution by PSExec (Lateral Movement)
#2189 – Account Manipulation (Host Level)
What you should do now
The new attack methods for US-CERT AA21-062A are already in the SafeBreach Hacker’s Playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT Alert AA21-062A (Hafnium) report and select Run Simulations which will run all the attack methods.