Your On-premise Microsoft Exchange Might be Compromised

W e s t h a m   T r a d e   I n f o r m s   y o u

 

Recently we discovered a threat on one of our Exchange Servers, related to a recent targeted attack from the Hafnium Chinese Group, targeting a large group of US Corporations with Exchange Servers. Luckily, we managed to get it fixed really fast and we wanted to share this experience with all of our clients.

 

The former head of National CyberSecurity and Infrastructure Security Agency (CISA) Chris Krebs, tweets: “This is the Real deal. If your Organizations Runs an OWA server expose to the internet, assume compromise between 02/26-03/03. Check for 8-character asp file in:

 

C:\\inetpub\wwroot\aspnet_client\system_web\.

 

If you get a hit on that search you are now in incident response mode.

 

On our unpatched server, in effect, we saw such files as a backdoor shell script written and hosted on the front end, leaving the possibility to a bigger threat. We saw that file written and minutes later we were crafting the response and patching the server as per Microsoft instructions.

 

Even though the attack is new, the attack vector is low, meaning that anyone with small knowledge can take advantage of such vulnerability to target your server.   P A T C H   N O W !

How to fix it

 

Microsoft Responded

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

 

Microsoft already released a security update, bundled on the march 2 of 2021 Cumulative Update for Exchange 2010-2019, and marked as critical and urgent to patch.

 

Patch Date

Microsoft already released a security update, bundled on the march 2 of 2021 Cumulative Update

 

Follow this Steps

  • Check for the status of your exchange server and see if you have been compromised:
  • If the scripts respond with a possible threat, analyze the depth of the threat and block connections for the IP addresses that started such threat.
  • Patch the server to CU8 (You can find the patch in the VLSC Portal, not available yet through Windows Update)

You can also use Thor Lite Vulnerability Assessment to check for any other information of a possible attack.

 

If you can’t find CU8 in your SW distribution, please contact us for Alternative Solutions.

 

Contact Us:

 

Oscar Jaen
Hybrid IT Product Manager

1(305) 717 5400

Oscar.Jaen@wtrade.com

Engineer with more than 10 Years’ Experience with HPE Solutions.

Leave a Comment