* MULTI - Query for patch level, web shells, and suspicious commands */ The following Sophos EDR Live Discover query will aid you indentifying activity of this nature. This should gleam trailheads to establish impact. Investigate w3wp.exe (the IIS web server worker process) activity and any instances of csc.exe (C# compiler) running as a child process. Review process activity and command executions from the time the web shell was created, onwards. To determine what actions were taken by the adversary, you will need to look at the logs in %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\ for the relevant application is /autodiscover/ To reveal what actions may have been taken by the attacker, you will need to extract the relevant application from AnchorMailbox.Į.g. The “AnchorMailbox” column will list a path to various applications running on Exchange that may have been targeted. The “ClientIpAddress” column will list the source IP addresses of potential attackers. Hosts that may have been exploited by CVE-2021-26855 will be listed in the file -Cve-2021-26855.csv Our most common observations are related to output for CVE-2021-26855. It will also look for suspicious files (which may be web shells) which should be reviewed, and calculate how many days back in the logs it can identify potential abuse of the vulnerabilities. The script will look for evidence of each vulnerability being abused, creating a. csv files can be viewed in a text editor or spreadsheet application. csv files per Exchange server, depending on what it finds. It is for this reason we recommend the use of Microsoft’s script to identify affected servers and look for the presence of web shells. It is important to note that even with the patches installed, this will not address the presence of any malicious web shells. Details on interpreting the results of this script can be found in this Microsoft article, a few paragraphs into the “Have I been compromised?” section). Sophos recommends you backup Exchange IIS/Server logs before patching and updating.ĭownload and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team to determine possible exposure. Details can be found in the Microsoft’s Security Response Center blog.
If you are unable to patch, implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services. Details can be found on Microsoft’s Exchange Team blog. Patch all on-premise Microsoft Exchanged servers in your environment with the relevant security update. It does NOT ensure that an adversary has not already exploited the vulnerabilities. It is important to note that patching only protects your organization from being exploited by the vulnerabilities going forward. One actor is installing a new ransomware variant called DearCry. UPDATE: Other threat actors are now taking advantage of the persistence established by Hafnium to conduct a range of attacks. įor an overview of HAFNIUM, and advice on how you should respond, watch this short video from Mat Gangwer, the head of the Sophos Managed Threat Response (MTR) team.įor details of the Sophos protections against the exploitation of these vulnerabilities, click here. These vulnerabilities are being actively exploited in the wild.ĬISA also issued an emergency directive urging organizations to patch on-premises Exchange Servers and search their networks for indicators of attack.
A remote attacker can exploit three remote code execution vulnerabilities-CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065-to take control of an affected system and can exploit one vulnerability-CVE-2021-26855-to obtain access to sensitive information. Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state. On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. The updates address bugs reported to Microsoft by the NSA and are considered urgent fixes that should be addressed immediately.
Update: Microsoft released new security updates for Exchange Server on April 13 th ( CVE-2021-28480, 28481, 28482, and 28483).