Alert: Actionable Guidance on Hafnium Cyber Attacks

April 12, 2021

Following emergency government directives regarding the Hafnium cyber attacks, FTI Cybersecurity has issued immediate actionable intelligence.  

Many organizations are vulnerable to this attack, and the nation-state group behind it have been targeting entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. 

Given the significant risk potential in this evolving situation, FTI Cybersecurity encourages all clients to take a proactive stance in addressing this threat, and all entities that currently use this product on-premise or in a hybrid model should assume they may have been breached.  

FTI Cybersecurity has issued immediate actionable intelligence advising steps you can take to remain secure and resilient in the face of this ongoing threat. 

As we learn more about the cyber attack, what was impacted, and how to mitigate risks, we will list new updates and developments here:

Recent Developments

  • April 12, 2021 | Malware Analysis Reports (MARs) regarding CISA Alert AA21-062A
    • MAR-10330097-1.v1: DearCry Ransomware: This report “identifies ransomware that has been used to exploit compromised on-premises Exchange servers. The malware encrypts files on a device and demands ransom in exchange for decryption.”
    • MAR-10331466-1.v1: China Chopper Webshell: This report “identifies a China Chopper webshell observed in post-compromised Microsoft Exchange Servers. After successfully exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.”
  • March 31, 2021 | Supplemental Direction: This update provides “additional forensic triage and server hardening requirements for federal agencies” and recommends running new tools to identify compromised servers.
  • March 18, 2021 | Microsoft Releases Exchange On-premises Mitigation Tool: Users without dedicated security teams, or who are unfamiliar with how to patch and update, can use this automated tool as an interim solution. 
  • March 15, 2021 | Updates on Microsoft Exchange Server Vulnerabilities: CISA Malware Analysis Reports (MARs) and information on ransomware associated with this exploitation.
  • March 6, 2021 | Microsoft Exchange Server Vulnerabilities Mitigations: Alternative mitigation options for organizations unable to immediately apply updates or patch. 
  • March 3, 2021 | CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities 
  • March 3, 2021 | CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.  
  • March 3, 2021 | NCSC Alert: Advice following Microsoft vulnerabilities exploitation, urgent updates released for Exchange server