SlideShare uma empresa Scribd logo

Hafnium attack

Happiest Minds Technologies
Happiest Minds Technologies

Happiest Minds’ Cyber Security Incident Response Team (CSIRT) was involved in the firsthand incident analysis and response preparation.

Tecnologia
1 de 8
Baixar para ler offline
HAFNIUM (HF) ATTACK Microsoft Exchange or Microsoft Ex-change
Attackers group named ‘Hafnium’, unlike the likely reason of their name, a completely non-toxic chemical Hafnium (Hf) [Atomic# 72], has rippled the cyber world by exploiting Microsoft’s Exchange, a flagship enterprise emailing platform. The attack has jolted the cyber world, especially Exchange on-premises deployment, which is used globally by ~350 Million mailboxes. Happiest Minds’ Cyber Security Incident Response Team (CSIRT) was involved in firsthand incident analysis and response preparation. In this exercise, we have observed a few unique attack characteristics, which are detailed below: Understanding of key building blocks in Exchange 2013 and onwards PREREQUISITES Clent Access Server (CAS) functions MBX Functions • Authentication • Proxying • Redirection • Biz logics • Storage • Load Balancing Transport Transport MRS MRSProxy MRS MRSProxy EWS EWS XSO XSO CTS CTS Store Store ESE ESE Content Index Content Index File System File System Mail Items Mail Items Other API Other API RPC CA RPC CA Assistants Assistants Protocols, Server Agents Business Logic Storage Server1, Vn Server2, Vn+1 EWS Protocol MRS Proxy SMTP Custom WS Banned Authentication can be through local or through a central directory like AD. This functionality authenticates any client who intends to connect to Exchange Proxying is the CAS functionality which renders backend services even if the clients connect through Web, POP, IMAP or server-side connections on SMTP or any UC services 1 2
ATTACKER ACTIONS Exploited Server-Side Request Forgery (SSRF) vulnerability on Exchange servers WHAT HOW A weakness in the webserver which lets an attacker use the web server as a web client (like chrome, IE, Mozilla Firefox, Safari, and others) but with a command line. Attackers made random HTTP POST requests on Exchange servers which had CAS exposing HTTP proxy to render Outlook Web Access (OWA). The HTTP POSTs were targeting valid style sheets, gif files on Exchange servers at the path /owa/auth/Current/themes/ resources/<<xxx>>.css. Exchange servers were vulnerable, and such POST requests bypassed authentication and granted ‘LOCAL ADMIN/SYSTEM’ rights to the attacker.
ATTACKER ACTIONS With SYSTEM access, the attackers placed ‘Web Shell’ on the compromised server. These ‘Web Shells’ were named with common names like ‘Login.aspx’ , which could easily go unnoticed during investigations WHAT HOW A Web shell is a script written in common web languages like ASP, Python, Ruby and others, which gives the attacker a command line to use the server as a client to run web requests of attackers’ choice (SSRF). The most used shell by the attackers was a well-known shell, ‘China Chopper’. This shell is meagerly 2-3KB in size, and an attacker could literally type and build the shell on the server without needing any file to be transferred over a network. Excerpt from ‘China Chopper’
ATTACKER ACTIONS Now it’s ‘Nirvana’ WHAT HOW Attacker with system-level privileges on the server and ‘Web Shell’ implanted to execute under same permission levels Hafnium used this to access all mailboxes, scoop away sensitive information, get access to the local directory server, escalate privileges in a network and keep moving laterally inside the network. Now it’s ‘Nirvana’
EXPLOITED VULNERABILITIES CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 This is a server-side request forgery (SSRF) vulnerability in Exchange, which enabled the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. This is an insecure deserialization vulnerability in the Unified Messaging service. It is where a program deserializes untrusted user- controllable data. Exploiting this vulnerability provided HAFNIUM with the ability to run code as a SYSTEM on the Exchange server. This needs the permission of an administrator or another vulnerability to exploit. This is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM can authenticate with the Exchange server, then they could easily use this vulnerability to write a file to any path on the server. This allows them to authenticate by exploiting the CVE-2021- 26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. This is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM can authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. This allows them to authenticate by exploiting the CVE-2021- 26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. READ MORE READ MORE READ MORE READ MORE
FROM CISO’S DESK VIJAY BHARTI SVP, Head of CSIRT, Happiest Minds Technologies This again is a stark reminder of how vulnerable IT systems are. It is just a matter of time; another “Zero-day” vulnerability is found and exploited to cause havoc on businesses. Organizations need to prepare for such eventualities by – Design systems for minimum impact by leveraging least privileges, Zero Trust architectures Invest in advanced Detective controls and mechanism for faster detection, analysis, and response Continuously test/review, conduct Cyber drills and exercises to ensure a coordinated response
Happiest Minds Technologies Your Cyber Security Partner! Happiest Minds with its presence in India, U.S., UK, Canada, Australia and Middle East countries has very niche Cyber Security Incident Response Team (CSIRT) helping customers in solutioning advance detection techniques. CSIRT is vendor agnostic team with top notch Infosec practitioners working directly under supervision of CISO of Happiest Minds, Mr Bharti. Key services from CSIRT Preparing customers for better incident handling Consulting customers to shift from negative incident handling models to positive models Consult customers add ‘Visibility’ with measurable KPIs in the infosec program 1 2 3 If you are impacted/attacked, please email us at business@happiestminds.com for a pro-bono log analysis and plan the next steps. www.happiestminds.com

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Codeinjection
CodeinjectionCodeinjection
CodeinjectionNitish Kumar
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection AttackRaghav Bisht
 
Codeinjection
CodeinjectionCodeinjection
CodeinjectionNitish Kumar
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 
Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Jeff Suratt
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Metascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxMetascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxOPSWAT
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Exchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 SecurityExchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 SecurityHarold Wong
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 

Mais conteúdo relacionado

Mais procurados

Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Jeff Suratt
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEric Vanderburg
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Metascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxMetascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxOPSWAT
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksTesfahunegn Minwuyelet
 
Exchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 SecurityExchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 SecurityHarold Wong
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 

Mais procurados (20)

Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers Apache struts vulnerabilities compromise corporate web servers 
Apache struts vulnerabilities compromise corporate web servers 
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Metascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for LinuxMetascan Multi-Scanning Technology for Linux
Metascan Multi-Scanning Technology for Linux
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacks
 
Exchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 SecurityExchange Conference (Philadelphia) - Exchange 2007 Security
Exchange Conference (Philadelphia) - Exchange 2007 Security
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
 

Semelhante a Hafnium attack

Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hackingleminhvuong
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linuxwebhostingguy
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linuxwebhostingguy
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 

Semelhante a Hafnium attack (20)

Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
2071
20712071
2071
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 
Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surface
 
Attques web
Attques webAttques web
Attques web
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
 
Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 

Mais de Happiest Minds Technologies

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyHappiest Minds Technologies
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceHappiest Minds Technologies
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...Happiest Minds Technologies
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 

Mais de Happiest Minds Technologies (20)

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case Study
 
BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24
 
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
 
DIGITAL MANUFACTURING
DIGITAL MANUFACTURINGDIGITAL MANUFACTURING
DIGITAL MANUFACTURING
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
 
AN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEAN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSE
 
VMware to AWS Cloud Migration
VMware to AWS Cloud MigrationVMware to AWS Cloud Migration
VMware to AWS Cloud Migration
 
Digital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfDigital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdf
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Cloud Reshaping Banking
Cloud Reshaping BankingCloud Reshaping Banking
Cloud Reshaping Banking
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UK
 
PAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkPAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArk
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
 
How to Approach Tool Integrations
How to Approach Tool IntegrationsHow to Approach Tool Integrations
How to Approach Tool Integrations
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 

Último

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Hafnium attack

  • 1. HAFNIUM (HF) ATTACK Microsoft Exchange or Microsoft Ex-change
  • 2. Attackers group named ‘Hafnium’, unlike the likely reason of their name, a completely non-toxic chemical Hafnium (Hf) [Atomic# 72], has rippled the cyber world by exploiting Microsoft’s Exchange, a flagship enterprise emailing platform. The attack has jolted the cyber world, especially Exchange on-premises deployment, which is used globally by ~350 Million mailboxes. Happiest Minds’ Cyber Security Incident Response Team (CSIRT) was involved in firsthand incident analysis and response preparation. In this exercise, we have observed a few unique attack characteristics, which are detailed below: Understanding of key building blocks in Exchange 2013 and onwards PREREQUISITES Clent Access Server (CAS) functions MBX Functions • Authentication • Proxying • Redirection • Biz logics • Storage • Load Balancing Transport Transport MRS MRSProxy MRS MRSProxy EWS EWS XSO XSO CTS CTS Store Store ESE ESE Content Index Content Index File System File System Mail Items Mail Items Other API Other API RPC CA RPC CA Assistants Assistants Protocols, Server Agents Business Logic Storage Server1, Vn Server2, Vn+1 EWS Protocol MRS Proxy SMTP Custom WS Banned Authentication can be through local or through a central directory like AD. This functionality authenticates any client who intends to connect to Exchange Proxying is the CAS functionality which renders backend services even if the clients connect through Web, POP, IMAP or server-side connections on SMTP or any UC services 1 2
  • 3. ATTACKER ACTIONS Exploited Server-Side Request Forgery (SSRF) vulnerability on Exchange servers WHAT HOW A weakness in the webserver which lets an attacker use the web server as a web client (like chrome, IE, Mozilla Firefox, Safari, and others) but with a command line. Attackers made random HTTP POST requests on Exchange servers which had CAS exposing HTTP proxy to render Outlook Web Access (OWA). The HTTP POSTs were targeting valid style sheets, gif files on Exchange servers at the path /owa/auth/Current/themes/ resources/<<xxx>>.css. Exchange servers were vulnerable, and such POST requests bypassed authentication and granted ‘LOCAL ADMIN/SYSTEM’ rights to the attacker.
  • 4. ATTACKER ACTIONS With SYSTEM access, the attackers placed ‘Web Shell’ on the compromised server. These ‘Web Shells’ were named with common names like ‘Login.aspx’ , which could easily go unnoticed during investigations WHAT HOW A Web shell is a script written in common web languages like ASP, Python, Ruby and others, which gives the attacker a command line to use the server as a client to run web requests of attackers’ choice (SSRF). The most used shell by the attackers was a well-known shell, ‘China Chopper’. This shell is meagerly 2-3KB in size, and an attacker could literally type and build the shell on the server without needing any file to be transferred over a network. Excerpt from ‘China Chopper’
  • 5. ATTACKER ACTIONS Now it’s ‘Nirvana’ WHAT HOW Attacker with system-level privileges on the server and ‘Web Shell’ implanted to execute under same permission levels Hafnium used this to access all mailboxes, scoop away sensitive information, get access to the local directory server, escalate privileges in a network and keep moving laterally inside the network. Now it’s ‘Nirvana’
  • 6. EXPLOITED VULNERABILITIES CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 This is a server-side request forgery (SSRF) vulnerability in Exchange, which enabled the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. This is an insecure deserialization vulnerability in the Unified Messaging service. It is where a program deserializes untrusted user- controllable data. Exploiting this vulnerability provided HAFNIUM with the ability to run code as a SYSTEM on the Exchange server. This needs the permission of an administrator or another vulnerability to exploit. This is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM can authenticate with the Exchange server, then they could easily use this vulnerability to write a file to any path on the server. This allows them to authenticate by exploiting the CVE-2021- 26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. This is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM can authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. This allows them to authenticate by exploiting the CVE-2021- 26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. READ MORE READ MORE READ MORE READ MORE
  • 7. FROM CISO’S DESK VIJAY BHARTI SVP, Head of CSIRT, Happiest Minds Technologies This again is a stark reminder of how vulnerable IT systems are. It is just a matter of time; another “Zero-day” vulnerability is found and exploited to cause havoc on businesses. Organizations need to prepare for such eventualities by – Design systems for minimum impact by leveraging least privileges, Zero Trust architectures Invest in advanced Detective controls and mechanism for faster detection, analysis, and response Continuously test/review, conduct Cyber drills and exercises to ensure a coordinated response
  • 8. Happiest Minds Technologies Your Cyber Security Partner! Happiest Minds with its presence in India, U.S., UK, Canada, Australia and Middle East countries has very niche Cyber Security Incident Response Team (CSIRT) helping customers in solutioning advance detection techniques. CSIRT is vendor agnostic team with top notch Infosec practitioners working directly under supervision of CISO of Happiest Minds, Mr Bharti. Key services from CSIRT Preparing customers for better incident handling Consulting customers to shift from negative incident handling models to positive models Consult customers add ‘Visibility’ with measurable KPIs in the infosec program 1 2 3 If you are impacted/attacked, please email us at business@happiestminds.com for a pro-bono log analysis and plan the next steps. www.happiestminds.com