Threat Watch

Opportunistic Exploitation of Microsoft Exchange Vulnerabilities Growing

Since the revelation of four recently discovered vulnerabilities and following out-of-band updates for Microsoft Exchange, proof of concept exploits are growing in number and many of them have been publicly released on GitHub. In response to the increasingly dangerous situation IT administration and security departments are facing, Microsoft released a PowerShell scripts to help detect commands and malformed cookies commonly seen in PoCs and in attacks attributed to the APT group Hafnium.

ANALYST NOTES

Analyst Notes:

Implementing the available patches is the most critical step in preventing future exploitation, but security teams must be aware that any Exchange servers that have already been compromised can continue to be exploited if webshells or other backdoor access methods are not removed. Making sure also to take advantage of the available resources to detect potentially exploited services will also be valuable when incident response procedures are initiated. As always, verifying that the necessary logs are being collected for detection, response, and monitoring is still required and will make situations like these manageable.

References:
https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/
https://github.com/microsoft/CSS-Exchange/tree/main/Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch
Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support