A significant number of small businesses, towns, cities, and local governments have been disrupted by the recent Microsoft Exchange Server compromise attributed to HAFNIUM attacks. This has led to threat attacks gaining a foothold within these organization’s infrastructure through Webshell code. The magnitude and sheer scale in which we are seeing the Exchange compromise impact small businesses is staggering.
I feel for these businesses which compose the backbone of our economy as main street and are focused at their core to facilitate business requirements to their customers driven by necessity and passion. These events unfortunately do occur, and we must stay diligent in these times of uncertainty and doubt to ensure appropriate proactive and reactive measures are taken to identify these threats and eradicate them for the small businesses that have been or could be impacted.
Listen to Microsoft!
Microsoft has released information providing a script to assess a quick inventory of the patch-level status of on-premises Exchange servers.
Now you need to see if you were compromised.
You should assume you were compromised. We recommend that you take your systems offline and investigate. The most common incident is web shells dropped into the filesystem. Even if you don’t have a large security team you can evaluate possible persistence mechanisms using Sysinternals Autoruns.
Disable or remove any scheduled tasks or autorun Windows Registry Keys that are seemingly suspicious or malicious for your environment. The persistence mechanisms will likely execute PowerShell code or an executable binary uploaded by the adversary.
In addition, evaluate the ASP/ASPX files under
folders and subfolders in order to valuate whether the content you find there might be malicious. Compare it to these baselines created by the Microsoft Exchange team. Anything that is not in that baseline should be considered suspicious and should be removed if your organization cannot determine a legitimate need for it.
I've Found the IOCS - Now What?
If you find suspicious ASP/ASPX files under the above folders, remove them from the disk. Some adversaries have also dropped executable (.exe) files within the folders. Examine any such EXEs with caution and remove any EXE files that are not part of the baseline from disk if your organization cannot determine a legitimate need for them.
An additional step to take would be to examine processes currently executing using Sysinternals Process Explorer. We recommend focusing on recently spawned PowerShell processes that have encoded command lines or URLs inside the command lines.
Finally, before making the server accessible to the internet again, apply the relevant patches to prevent further exploitation.
These are simple steps that we hope anyone can take on servers they suspect are vulnerable or compromised. If you have Microsoft Defender, you will be able to quick and effectively assess your risk exposure to the know vulnerabilities (CVEs) being leveraged to gain persistency within your environment.
Under the “Threat Analytics” section within Defender, you will find the Exchange Server zero-days exploited in the wild analysis and up to date associated IOCs and tactics being utilized by the HAFNIUM group:
Counter measures can be taken under the “Mitigations” tab that provides secure configuration recommendations as well as known CVEs in which recommended patching and blocking is prescribed.
As we stated there are lots of tools available and we also know that some organizations still need a partner in crime (or anti-crime) in this case. Since this exploit was uncovered we have been managing the remediation and working to help organizations of all sizes deploy countermeasures to ensure they can focus on growing their business not worrying about security. If you are looking for any assistance with the Microsoft Exchange compromise, our team of experts can be contacted directly to help address further exploitation.