The estimated reading time 5 minutes

the last few days lot of people around the globe, had some issues with patching and securing Microsoft Exchange Onpremis servers. The “0day” exploit HAFNIUM was available for exchange 2010 – 2019, so every exchange admin who published exchange was vulnerable. But that is not the only problem. Exchange Servers have been compromised with Backdoors and other malware (I’ve seen it several times).
What can you do to check your exchange and much more important, what to do if you have been hit by this.

UPDATE is the only answer and do it FAST! If you have questions, see this graph from MS

If your exchange is installed on latest CU, you only need to install the patch (can be done via Windows Updates) or you can manually download it at this link: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Another PDF treating update process and some kind of important information.

Exchange 2010 what can I do?

Simple answer, patching!
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

NOTE: executing MSPs will work, if you use an administrative cmd to start them, otherwise there can be update issues with UAC (user account control).

Did someone break in?

One simple answer, maybe someone broke into your exchange and you didn’t even notice. Mostly the hackers leave some kind of traces behind, where you can find them. I’ll try to explain them in this section.

First use the Github Script Test-ProxyLogon.ps1 to check your exchange.
https://github.com/microsoft/CSS-Exchange/tree/main/Security

direct download Test-ProxyLogon.ps1

If you are one of the few which have a GREEN output, it is possible that you have not been attacked, or you cleared your logs and the script did not find the relevant information. (if done so, maybe restore it from backup and do some research).
Script for cleanup:GitHub – SammyKrosoft/Clean-ExchangeLogs: Script from Edward van Bilkon, Microsoft Most Valuable Professional, to cleanup Exchange log files (Exchange 2013, 2016, 2019)

Lot’s of exchange server in germany have been attacked starting on march 3rd 2021.

Holy sh**** it is RED!

Immediate action

Remove Internet access to your exchange server, do an antivirus FULLSCAN (you can use windows defender). On my infected exchange servers Defender found Backoors and Exploits and deleted them.
Additionally: use the Microsoft Safety Scanner in any case.
UPDATE: Windows Defender can find exploits with build Version: 1.331.2471.0 or higher

To find your version of Windows Defender:

Get-MpComputerStatus | ft AntivirusEnabled,AntivirusSignatureVersion,AntispywareEnabled,AntispywareSignatureVersion

my screenshot shows an infected system, scanned with defender

UPDATE 03/16/2021 EOMT.PS1 Script for checking
https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt

Exchange On-premises Mitigation Tool (EOMT)
This new script want to protect the special exchange servers, which didn’t get an update yet. With this kind of workaround you can buy some time to update your exchange (does not replace the update itself).
What do you need?
– Internet connection
– administrative powershell

When should you execute this script?
Nearly every situation, if you:
did nothing yet
-> EOMT.PS1 (can reduce vulnerability, and checks server)
not updated yet, but did the scripting to reduce damage
-> EOMT.PS1 (repair Exchange, reduce vulnerability)
Updates finished
->EEOMT.PS1 (precautions)
NOTE: script can be executed without parameters, but by default it executes an quick MSERT scan.

What it does?

  • checks vulnerability by determining installed patches
  • downloads IIS Rewrite tool
  • Checks exchange server with MSERT

Some damage?
I didn’t preceive any damage until today.

Are there some logs?

Yes, they are stored in C:\EOMTSummary.txt

Analysis

You don’t know what backdoors or other exploits did to your exchange, the following steps show the most common attacks, and what they did.
NOTE: The attack is difficult to identify, in this blogpost I describe the most common ones.

Eventlog

OAB (Offline Address Book) date of change (was reseted by attackers sometimes, see the date)
maybe som kind of certificate warnings can be a result

Check the list of files on your exchange, if you see one of this, you have been hacked:

C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\inetpub\wwwroot\aspnet_client\discover.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\TimeoutLogout.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookEN.aspx
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa\39dba043\4e0b7b81\App_Web_1bsqa4yl.0.js

Additional information see this Link

NTFS Permissions were changed (check the following folder)
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

“System”, “Administrators” should have fullaccess, “Authenticated Users” read permissions. (Check inheritance)

Scheduled Tasks
some infected systems had additional scheduled task, executing powershell, with this script you can analyse the system on powershell tasks

$taskpowershell =  schtasks.exe /query /V /FO CSV | ConvertFrom-Csv | select TaskName,"Task to Run",Author,"Start Date","StartTime"|where{$_ -like "*powershell*"} 
$taskpowershell | fl

Check bad password counters:

Get-ADUser -Filter * -Properties * | sort badpwdcount -Descending | Where-Object {$_.badPwdCount -gt 1} | ft Name,SamAccountName,badPwdCount  

If you can find nothing of the mentioned arguments on your exchange, you are not that safe. It is possible that some only tried the exploid.
There are thousand other ways to compromise your exchange and residual risk remains.
BTW: if you cleaned your exchange from backdoors etc. password change would be advisable

Print Friendly, PDF & Email
  • Was this Helpful ?
  • yes   no