Microsoft Exchange vulnerabilities – MS cleaning tool is not removing all adversaries footholds

On March 2, Microsoft released updates for Exchange server vulnerabilities. The highest warning level applies, the threat situation is more than critical. In this blog post, we want to give you an update on what critical footholds the testing methods proposed by Microsoft and others fail to detect. The findings and actions described below are the results from over 50 Exchange breach investigations conducted by InfoGuard CSIRT and are unfortunately real. Act NOW!

In the last 2 weeks the InfoGuard CSIRT investigated over 50 potential Exchange Server breaches based on some of the 0-day vulnerabilities published by Microsoft on March 2nd 2021. While the vulnerabilities and how attackers exploit them has been described in great length by many entities, we wanted to give our readers insights into what the checking procedures suggested by Microsoft and other fail to detect. All of the described situations are real world examples we observed in our investigations. First let's present some facts.

• Out of the around 50 investigations over 70% did have webshells installed at some point.
• In a number of cases the MSERT tool did not identify all webshells that were placed by the attackers.
• In 5 cases the attackers interacted with the webshell and conducted internal recon
• In at least 4 cases the attackers deleted certain log files and/or deleted their initially used webshells.
• In 2 cases the attackers were able to move laterally.
• In one case they compromised the whole domain!

So what do those facts mean for you?

• Scanning the system with the MSERT tool is not enough as it might miss webshells.
• Look for signs of attempted privilege escalation (Normally Exchange runs with a local user account)
• Even if the Exchange Server seems to be clean at the time of your investigation, it does not mean you are not affected. The attacker could just have moved laterally and cleaned up the initial entry point. So carefully watch all servers that could directly or indirectly be reached through the Exchange Server.
• If uncertain if the server has been breached, we recommend following the GovCERT measures and restage the Exchange server.

What can you do?

1. Watch AV alerts very closely. I any alert comes up with a name like "Cobalt Strike" or "Powersploit" you have got a serious problem and your data is potentially being siphoned off at this point, encryption might be imminent.
2. If you discover suspicious behaviour in your network, Let us know as soon as possibel to discuss further actions.

InfoGuard supports you – around the clock!

• The InfoGuard CSIRT can support you in checking your Exchange Server in depth.
• We offer a monitoring service for a month specifically for your Exchange servers. That means we will react to any new attack or breakout attempt on these servers immediately to prevent potential harm.
• We also offer Compromise Assessments that cover your whole environment. This way we can look for any attacker traces deep in your network.