Shadowserver Special Reports – HAFNIUM Exchange Victims

March 11, 2021

Shadowserver’s free daily network reports contain data about security events observed in recipient’s networks and countries within the past 24 hour period. If you don’t already receive our network reports you can subscribe here.

However, sometimes there are situations when it would be useful to be able to notify potential victims about incidents or breaches that may have impacted them outside of the previous 24 hour period – for example during high profile events such as the Solarwinds Orion/SUNBURST supply chain or ongoing HAFNIUM/Microsoft Exchange Server mass breaches, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims.

Shadowserver Special Reports are a NEW type of free, one off report. They do not cover a specific time period. We will send out Special Reports whenever we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.

For our first Special Report – HAFNIUM Exchange Victims Special Report – we have today distributed a one-off report to 120 National CSIRTs in 148 countries and over 5900 network owners containing potential victim information believed to be related to the HAFNIUM Microsoft Exchange Server breaches. The HAFNIUM group allegedly targeted Microsoft Exchange servers using the recently announced CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 vulnerabilities to gain remote access and deploy webshell-based back doors and provide remote access, then subsequently engage in post-exploitation activity. Note that this initial Special Report contains only victim information believed to correspond to activity by the HAFNIUM actor during the period 2021-02-26 to 2021-03-03. It does not contain potential victim information related to activity by other threat actors after that period, including the widely observed exploitation activity currently occurring against un-patched or already compromised Exchange servers. We will be addressing that in a subsequent blog post.

The total dataset distributed includes over 68500 distinct IP addresses. Of these IP addresses, there is high certainty that 8911 IP addresses were compromised. However, the remaining IP addresses included in the report are also very likely compromised too, since they were targeted with the OWA 0-day exploit before Microsoft publicly released patches for Exchange.

You can find more detail on the format of the new HAFNIUM Exchange Victims Special Report here.

Remediation advice for Microsoft Exchange Server operators has been provided by CISA. Microsoft have released tools for checking Exchange servers for evidence of exploitation. You can also use the online CheckMyOWA resource to check if your Exchange Server has appeared in their data.

If you have missed this Special Report because you were not yet a subscriber to our free daily network reports, do not worry: simply subscribe for your network or country now and specifically request all recent Shadowserver Special Reports. We will resend the Special Report specifically for your network or country (for National CERT/CSIRTs).

If you have a data set which you feel could also be of benefit to National CERT/CSIRTs and network owners world-wide to help protect victims of cybercrime, please get in touch and discuss the options for using Shadowserver’s proven reporting systems for distribution and remediation.

We hope that the new Shadowserver Special Reports will be a useful additional free tool in helping network defenders identify victims and better protect their networks and the entire Internet. Please contact us if you have any questions.

Recent Articles