The Microsoft Exchange Servers breach began in January 2021, when the hacker group HAFNIUM accessed the Microsoft Exchange Servers through multiple zero-day vulnerabilities in the ProxyLogon Software. Since the initial breach, HAFNIUM is estimated to have gained access to over 60,000 servers before being locked out.
From the initial breach, HAFNIUM deployed a malicious web shell to execute commands remotely, add user accounts, and steal copies of the Active Directory database. The credentials were then dumped in the Local Security Authority Subsystem Service which were scraped by the attackers for sensitive personal information from emails associated with the Microsoft Exchange Servers.
Fortunately, for customers on the CyberGRX Exchange there is a threat profile connected to this breach available for download through the CyberGRX platform. The HAFNIUM threat profile allows users to visualize and understand the attack kill chain, limit the amount of damage by forming a blueprint for active remediation, and helps locate major security gaps in their supply chain ecosystem.