Over 200 Bangladesh Organizations Hit by Hafnium Hacker Group
The Group Normally Exfiltrates Data to File Sharing Sites Like MEGA After Gaining Access to A Victim’s Network.
According to a Cyber Threat Report released by the Bangladesh Government’s e-Government Computer Incident Response Team (BGD e-GOV CIRT) on April 1st, hacker group Hafnium has launched attacks on more than 200 organizations in Bangladesh.
Bangladesh Telecommunication Regulatory Commission (BTRC), Bangladesh Bank, commercial banks, and Internet service providers were among the targets.
The report claims the hacker group initiated the attacks last month.
In order to observe the current threat landscape, by following the latest exploitation of Microsoft Exchange Server Vulnerabilities, Cyber Threat Research Unit of BGD e-GOV CIRT recently found some IP Addresses associated to different Bangladeshi Organizations, some of these are already exploited and also some others are vulnerable to these threats.
In an interview for Dhaka Tribune, Bangladesh Computer Council Director Tarique M. Barkatullah said that “The malware is inserted through Microsoft Exchange Server. Although no money has been stolen yet, information has been leaked which creates a fear of huge financial loss or stealing of money in the future.”
Nevertheless, Barkatullah added that companies can recover from this attack by using the Hafnium exploit file.
Who Is Hafnium?
Hafnium is a cyberespionage group operating out of China, based on observed victimology, tactics, and procedures.
Identified by the Microsoft Threat Intelligence Center (MSTIC), Hafnium is attacking infectious disease researchers, law firms, universities, defense contractors, policy think tanks, and NGOs in the US aiming to withdraw sensitive information. Cybersecurity experts believe Hafnium is responsible for the massive cyberattack that targeted Microsoft’s business email software, Microsoft Exchange.
Microsoft has detected multiple zero-day exploits used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.
In recent attacks, the threat actor used these vulnerabilities to access on-premises exchange servers which enabled access to email accounts, allowing the installation of additional malware to ease long-term access to victims’ systems.
Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we’ve seen use these exploits. The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.
Back in March, Heimdal™ Security announced an emergency intervention to fix flaws associated with the Microsoft Exchange Server Exploit following the news that tens of thousands of institutions and organizations have been affected by the four Microsoft Exchange Server vulnerabilities.
In addition, BGD e-GOV CIRT requests all the organizations to take the following measures:
- Run newly developed tools —Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT—to investigate whether their Microsoft Exchange Servers have been compromised;
- Maintain up-to-date antivirus signatures and engines;
- Keep operating system patches up-to-date;
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication;
- Restrict users’ permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required;
- Enforce a strong password policy and implement regular password changes;
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known;
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests;
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content;
- Scan all software downloaded from the Internet prior to executing;
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs);
- Report or inform BGD e-GOV CIRT regarding any incident/ issues to work in collaborated fashion through https://www.cirt.gov.bd/incident-reporting/.