Introduction

A small US-based chemical manufacturer with a supply chain comprising 50+ household names in chemicals was hit with a creative new twist on the HAFNIUM threat targeting Microsoft Exchange Servers. This new threat, coined ProxyShell, opened companies’ on-premise email to a new present danger. Acquired by Quorum Cyber in 2024, Kivu’s 24×7 cyber security monitoring service flagged ProxyShell and dispatched it. Within 48 hours, Kivu and the chemical company worked to remediate and evolve the stance against this attack surface and future attacks.

The challenge

HAFNIUM is a Chinese state-sponsored threat intent on information theft and espionage. Following HAFNIUM techniques that utilised mutability and suitability ProxyShell, was discovered by security researcher Orange Tsai, who showed it in detail at a security conference in August 2021. The researcher found that by chaining together three different vulnerabilities, threat actors could establish a web-shell-based backdoor access into a company’s email server. The actor could then perform unauthenticated, remote-code execution – or potentially gain the “keys to the castle” – to release emails, exfiltrate data and then move on to owning the whole company network from the inside out.

Kivu’s response and solution

Alerted to the true nature of the threat (vs. known bad actors) by the monitoring service, Kivu’s team acted immediately. By conducting analysis of log and server files, the team identified the new indicators of compromise (IOCs) associated with ProxyShell activity. Kivu isolated the problem in a safe form separate from the company’s operational systems (but still connected to Kivu), preventing further spread.

Kivu then worked with the company’s two-person IT department, following Microsoft plus industry guidance to rebuild the mail server into a hardened, refined form. Kivu consultants consolidated techniques used in this ProxyShell attempt, as well as input from Microsoft and future recommendations, into a shared threat intel and reporting platform, ensuring the knowledge was shared quickly internally and then to other Kivu clients that may have been affected or about to be attacked. Much of this work was undertaken in 48 hours over the weekend.

Kivu used this threat profiling against all of its customers, identifying those with “on-premise” Exchange mail servers, alerting nine others at risk, stopping ProxyShell attempts from further exploit, and assisting Kivu’s digital forensics and incident response efforts at large.

Outcome

Because it had Kivu’s Cyber-as-a-Service 24×7 threat monitoring in place, the company:

• Rapidly identified a brand new risk (under two days old) and remedied the situation
• Prevented hijacking and man-in-the-middle attacks risks, which could have led to fraud
• Avoided business downtime and maintained its 99% service level agreement (SLA).