Skip Navigation
BlackBerry Blog

BlackBerry Deconstructs and Demonstrates HAFNIUM Attack

In search of soft targets, threat groups are increasingly utilizing zero-day fileless attacks, rather than malware, to gain an initial foothold on victims’ systems. The “fileless” moniker is in fact a bit of a misnomer. Zero-day fileless attacks are only fileless to the extent they don’t begin by requiring malicious executables to be written to disk. Instead, the threat actor exploits a previously unknown software vulnerability to inject and execute malicious code in system memory.

Once accomplished, the threat actor can utilize legitimate system services and network utilities for reconnaissance, exfiltration, and more. This makes fileless attacks much harder to detect and trace than attacks initiated by malware.

Often, however, files do play a role in fileless attacks. For example, malicious code can be contained in a weaponized document and loaded into memory when the document is opened. Persistence, in turn, can be achieved by modifying the system registry.

The zero-day attacks by the HAFNIUM Threat Group on Microsoft® Exchange Servers are fileless because they utilize a zero-day remote code execution (RCE) exploit to inject code into server memory. No user interaction is needed. To establish persistence, a web shell is installed. This enables HAFNIUM to decide later whether to continue attacking the victim or sell access to the compromised server to another threat group.

Zero-day exploits typically proceed through a vulnerability timeline like the one shown below:

The HAFNIUM attacks were already underway in January 2021, when Microsoft was first notified of four Exchange Server vulnerabilities, and a proof-of-concept (POC) RCE attack chain became available. However, the extent of the threat wasn’t widely known until March 2021, when the Microsoft Security Response Center (MSRC) issued a blog describing the vulnerabilities, and released patches, tools, and recommendations for investigating, mitigating, and remediating attacks. By then, HAFNIUM and other threat groups had begun compromising tens of thousands of Exchange Servers.

Hacking Exposed Webinar: Inside the Microsoft Exchange/Proxy Logon Hack
We invite you to learn more about the HAFNIUM attacks by viewing a special two-part, on-demand Hacking Exposed presentation by Brian Robison, BlackBerry Chief Evangelist and Senior Director of Product Marketing.

In Part One, Brian deconstructs:

  • The four Exchange Server vulnerabilities exploited by HAFNIUM.
  • The scripts and commands used by HAFNIUM for each step of the attack chain.
  • Common post-exploitation strategies by HAFNIUM and other advanced threat groups.

In Part Two, Brian moves into the lab to demonstrate two different versions of the HAFNIUM attack chain. In his first demonstration, Brian installs a web shell on the compromised Exchange Server, which enables an attacker to remotely execute commands with system-level privileges. The attack chain is based on the POC exploit released in January 2021.

In the second demonstration, Brian shows how to implement the exploit as a command and control (C2) server, and utilize tools like ProcDump, FTP, and Pypykatz to harvest domain credentials from compromised Exchange Servers.

Don’t miss this essential Hacking Exposed security briefing!

Watch now!

About Corporate Communications