Responding to a Reported Zero-Day Exploit: The Hafnium Exchange Server Attack

The threat actor, attributed to a Chinese state-sponsored group known as HAFNIUM, had been operating undetected since at least January 3rd. Microsoft's emergency patch did not arrive until March 15th — a window of over ten weeks in which organisations running on-premises Exchange had no vendor-supplied fix. Exchange versions going back to 2013 were affected.

This webinar, presented by Kev Breen (Director of Cyber Threat Research, Immersive) and Chris Pace (Technology Advocate, Immersive), walks through what happened, how to detect it, and — critically — how to respond to zero-day attacks in general when a patch is not yet available.

What This Session Covers

‍

The Hafnium attack chain

The campaign exploited four CVEs in combination: a server-side request forgery vulnerability used to establish an SSL connection to the Exchange back-end, an authentication bypass, and a remote code execution flaw that allowed attackers to install web shells on the compromised server. Each step left forensic artefacts — specific HTTP POST requests to Exchange control panel paths, .aspx files dropped in non-standard directories, and non-standard user agents in IIS logs — that defenders could hunt for once the attack was disclosed.

What attackers did after gaining access

Post-compromise activity followed a now-familiar playbook. Memory dumps were used to harvest credentials from running processes. PsExec was used to execute commands on remote systems across the network — a sign that attackers were not satisfied with a single beachhead. WinRAR was used to compress mailbox data ahead of exfiltration. Web shells were deployed not only for persistence but as proxies to external attacker-controlled infrastructure. In some cases, new user accounts were created with elevated privileges, likely to facilitate Active Directory compromise.

Living off the land

One of the most important themes in the session is the shift in attacker tradecraft away from custom malware and towards "living off the land" — using Microsoft's own signed administrative tools (PsExec, PowerShell remoting, WinRAR) to carry out malicious activity. Because these are the same tools legitimate administrators use daily, traditional signature-based detection frequently misses them. Defenders must instead correlate behaviour: which account ran a command, at what time, from which system, and whether that pattern matches expected administrative activity.

The zero-day response framework

The presenters discuss what a structured response looks like when a vulnerability is disclosed with no patch available.

This includes:

• Isolating affected systems before they can be used as pivot points
• Hunting for indicators of compromise (IoCs) using Microsoft's published detection scripts
• Reviewing IIS and Exchange Control Panel logs for anomalous POST requests
• Auditing Active Directory for newly created or elevated accounts