Since the revelation of four recently discovered vulnerabilities and following out-of-band updates for Microsoft Exchange, proof of concept exploits are growing in number and many of them have been publicly released on GitHub. In response to the increasingly dangerous situation IT administration and security departments are facing, Microsoft released a PowerShell scripts to help detect commands and malformed cookies commonly seen in PoCs and in attacks attributed to the APT group Hafnium.
Analyst Notes
Analyst Notes:
Implementing the available patches is the most critical step in preventing future exploitation, but security teams must be aware that any Exchange servers that have already been compromised can continue to be exploited if webshells or other backdoor access methods are not removed. Making sure also to take advantage of the available resources to detect potentially exploited services will also be valuable when incident response procedures are initiated. As always, verifying that the necessary logs are being collected for detection, response, and monitoring is still required and will make situations like these manageable.
References:
https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/
https://github.com/microsoft/CSS-Exchange/tree/main/Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
