Microsoft Security Blog / CISA AA21-062A / CSO Online

📅 2021-01-03 🏢 Microsoft Exchange Server (on-premises) 🦠 China Chopper webshell / HAFNIUM custom tooling 🔎 CVE-2021-26855 · CVE-2021-26857 · CVE-2021-26858 · CVE-2021-27065

Primary Source ↗

Incident Details

Chinese state-sponsored group HAFNIUM exploited four zero-days in on-premises Microsoft Exchange starting Jan 3 2021. CVE-2021-26855 (SSRF auth bypass) chained with CVE-2021-27065 (file write) to install webshells. Allowed email access, lateral movement, persistent backdoor. ~60,000 organizations compromised worldwide before March 2 patches. After public disclosure, multiple threat actors piled on including LockBit affiliates. CISA emergency directive issued. Subsequent ProxyShell (CVE-2021-34473) and ProxyNotShell further extended Exchange exploitation.

Technical Details

Initial Attack Vector: CWE-918: Server-Side Request Forgery (SSRF auth bypass chained with post-auth arbitrary file write for webshell installation)
Vendor / Product: Microsoft Exchange Server (on-premises)
Malware Family: China Chopper webshell / HAFNIUM custom tooling
CVE / GHSA References: CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065

Timeline

2021-01-03 Breach occurred
2021-03-02 Publicly disclosed
2021-03-02 Customers notified