It’s three weeks since the word HAFNIUM hit the news.

The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.

The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.

The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.

Greatly simplified, the attack goes like this:

  • Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
  • Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
  • Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.

BlackKingdom ransomware still exploiting insecure Exchange servers