Breach Notes

Vulnetix
Other

Microsoft Security Blog / CISA AA21-062A / CSO Online

2021-01-03 [vendor] Microsoft Exchange Server (on-premises) [malware] China Chopper webshell / HAFNIUM custom tooling [cve] CVE-2021-26855 · CVE-2021-26857 · CVE-2021-26858 · CVE-2021-27065
Primary Source ↗

Incident Details

Chinese state-sponsored group HAFNIUM exploited four zero-days in on-premises Microsoft Exchange starting Jan 3 2021. CVE-2021-26855 (SSRF auth bypass) chained with CVE-2021-27065 (file write) to install webshells. Allowed email access, lateral movement, persistent backdoor. ~60,000 organizations compromised worldwide before March 2 patches. After public disclosure, multiple threat actors piled on including LockBit affiliates. CISA emergency directive issued. Subsequent ProxyShell (CVE-2021-34473) and ProxyNotShell further extended Exchange exploitation.

Technical Details

Initial Attack Vector
CWE-918: Server-Side Request Forgery (SSRF auth bypass chained with post-auth arbitrary file write for webshell installation)
Vendor / Product
Microsoft Exchange Server (on-premises)
Malware Family
China Chopper webshell / HAFNIUM custom tooling
CVE / GHSA References
CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065

Timeline

  1. 2021-01-03 Breach occurred
  2. 2021-03-02 Publicly disclosed
  3. 2021-03-02 Customers notified