– This is twice as big as the SolarWinds breach.
– Patching is not enough! If your Exchange Server was open to the internet via TCP 80 or 443 between February 26 and March 3rd (or later) assume it was compromised.
At least 30,000 organizations have had a backdoor installed on their Microsoft Exchange Server (on-premises).
We know it is at least this many because researchers have built an NMAP script to scan the internet for infected hosts.
There is nothing to indicate that Exchange Online has been impacted, but organizations in O365 could still have been hacked because most of those customers still have an internet-facing Exchange Hybrid server.
How to hunt for the existence of a backdoor known as a web shell.
(A web shell is an internet accessible web page that the hacker places on the Exchange Server that gives the attackers administrative access to the Exchange Server)
Indicators of Compromise
web.aspx
help.aspx
document.aspx
errorEE.aspx
errorEEE.aspx
errorEW.aspx
errorFF.aspx
healthcheck.aspx
aspnet_www.aspx
aspnet_client.aspx
xx.aspx
shell.aspx
aspnet_iisstart.aspx
one.aspx
RedirSuiteServerProxy.aspx
y.js
<random_name>.aspx (often 8 characters)
In these directories:
o c:\inetpub\wwwroot\aspnet_client\
o c:\inetpub\wwwroot\aspnet_client\system_web\
o C:\Exchange\FrontEnd\HttpProxy\owa\auth\
o %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
– Signs of large amounts of SMB network traffic from the Exchange Server to internal network
– Scheduled Task on Exchange Server named Winnet
– Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
– Monitor c:\root and c:\windows\temp for LSASS dumps (attackers used procdump64.exe) or rundll32 C:\windows\system32\comsvcs.dll MiniDump lsass.dmp
In some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:
- C:\Windows\Microsoft.NET\Framework64\<version>\Temporary ASP.NET Files\root\
- C:\Windows\Microsoft.NET\Framework64\<version>\Temporary ASP.NET Files\owa\
Administrator is removed from the “Exchange Organization administrators” group (credit rapid7)
– Scan Exchange Logs for IOCs (manually here) or with the Microsoft script (here)
– You can also use this NMAP script to see if your servers are vulnerable after patching them.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed installation of additional malware to facilitate long-term access to victim environments.
On March 6th, a security researcher created a honeypot with these vulnerabilities and found that it was exploited 5 times in less than 24 hours. This indicates several copy-cat threat actors are already targeting these vulnerabilities.
If you find evidence of compromise, activate your incident response procedures. You may have a legal requirement to notify within 72 hours of sensitive data was accessed in your email or network.
What versions are affected?
– Exchange 2013 Versions < 15.00.1497.012
– Exchange 2016 CU18 < 15.01.2106.013
– Exchange 2016 CU19 < 15.01.2176.009
– Exchange 2019 CU7 < 15.02.0721.013
– Exchange 2019 CU8 < 15.02.0792.010
– Microsoft issued CU 31 for Exchange Server 2010 – best to apply that, but it would be better to upgrade your hybrid server since Exchange 2010 normally does not receive security updates (this was a kind gesture on Microsoft’s part).
How do we prevent this from happening again?
– The only reason an Exchange Hybrid Server should still be internet-facing is if there are still on-premises mailboxes. Move those to the cloud and then shut off internet access to your hybrid server after moving the Autodiscover DNS record to point to Autodiscover.outlook.com.
– If you have no on-premises mailboxes, you should close TCP 80/443 after moving Autodiscover to cloud
Learn more: Read the announcement, or view the Exchange blog. We also recommend the Volexity post (here) and Rapid7 post (here).
The Cloud Technologist 