Bad news comes in for Microsoft Exchange Server Customer on 2 March 2021. When Chines Hacker infiltrated on-premises Microsoft Exchange Server (Email server) all over the world especially in the U.K & U.S.A. Almost 30 thousand organizations affected by this cyber-attack including email servers, small businesses, government organizations, European Banking Authority, NGO’s and enterprises business, etc.
According to the Microsoft Threat Intelligence Center (MSTIC), it is a state-sponsored cyberattack by Chains Hackers Hafnium. It is not a first-time attack by chines, Microsoft detected multiple cyber-attacks or vulnerabilities on Exchange Server and Microsoft Products like Office 365 Just like CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-26885. Microsoft informed U.S cybersecurity advisors to take action on cyberattacks.
How Hafnium Hacked Microsoft Exchange Servers?
After Microsoft’s, research Hacker Hafnium used a virtual private server (VPS) of the USA, then an attacker gains access to the Microsoft Exchange Server by installing a patch called a data breach.
There is some possible method can be used by Hafnium attacker to the vulnerable Exchange server.
By installing Data Breach: When the data breach runs on a vulnerable exchange server it exposes Server passwords and provides access to the hacker, then they can access files, data, mailboxes from the server. The data breach keeps running in the background on the vulnerable server and gets access to private data.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\inetpubwwwrootaspnet_clientsystem_web. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7sn
— National Security Council (@WHNSC) March 6, 2021
By running Web Shell on Server: The hacker may create a web shell on Exchange Server to remotely control Server or steal data and can do malicious action to compromise the network.
This malware attempt to access dropped shell “Shell was
/owa/auth/RedirSuiteServerProxy.aspx, stored in %PROGRAMFILES%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\”
By installing Malware/ransomware: on server or remote, access from U.S.A Virtual Private Server (VPS).
If you are already been hacked then. This malware remains running on the Server until the new installation of the Exchange Server. Through this malware, hackers can try to get a huge amount of money from companies. The Chinese hacker “Hafnium” hacked mostly exchange servers in 2013, 2016, 2019. By Microsoft Update you can protect your network using a high restriction, VPN to protect your network from being hacked or un-authorized connection with your server.
You can get more details about Hafnium exchange servers Zero-Day exploits from Microsoft’s official website.
Microsoft Recent Update On-premises Exchange Server Attack
Microsoft released Exchange Server security updates to protect customer Server or network immediately from Hafnium exploits. Please keep in mind it is only for Exchanger server users not for other Microsoft Products. In addition, Microsoft said we are not giving a guarantee that you are 100% protected from 0-day exploits. However, it is recommended for you to install this update even your server has been vulnerable or you are save from this attack. You can also get On-Premises exchange server support & IT Consultancy form, Dundee Computer Care
See most recent Microsoft Security Updates March 2021 after Exchange Server Vulnerabilities
If you are running exchange server from the given version, Please install a security update to protect your Server from being hacked.
- Latest Microsoft Exchange Server 2010 Update
- Latest Microsoft Exchange Server 2013 Update
- Latest Microsoft Exchange Server 2016 Update
- Latest Microsoft Exchange Server 2019 Update
Detect your Microsoft Exchange Server Compromised or not.
Yes, you can check to identify that your server has been compromised by a hacker or not. By Microsoft, you can detect vulnerability with Azure sentinel, Microsoft Security Defender; Server logs files, Office 365 Security Defender, and by details investigation on the server.
There is the following setup to detect your server compromised by an Email attack or not.
- Complete Scan your Exchange Server log files
- Use Microsoft Security Scanner Called Defender to scan malware
- Use Microsoft IOS feed to detect malicious file paths on on-premises Exchange Server
- Find your IIS logs files and analyses malicious code path installation.
- Use Microsoft Exchange Server Hafnium Malicious Code detector (HTTP Proxy Detector)
- Run PowerShell script from the command line
For more details, you can read complete documentation by Microsoft Exchange Server vulnerability updates
How to install On-Premises Exchange Server Security Updates?
After the Hafnium cyberattack, Microsoft released March 2021 update for Exchange Server to protect them; the update is only for the previous listed version. According to Microsoft, it is the manual installation of Exchange Server security update through .msp & commands prompt.
Note: If you are running an older version of Microsoft Exchange Server, then you should install recent RU/CU before integrating security updates. Here is the video from Microsoft,
How to install on-premises Exchange Server Security Update.
Comments are closed.