Editor's Choice: This article has been selected by our editors as an exceptional contribution.
Exchange HAFNIUM+ Mitigations
Philip ElderSenior Technical Architect - HA/Compute/Storage
CERTIFIED EXPERT
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
Philip is a Technical Architect specializing in high availability solutions for SMB/SME businesses and hosting companies.
What to do if there looks to be a compromise of on-premises Exchange. This list is _not_ complete but an aggregate of the various things we have in our toolbox.
It's important to note that our Exchange 2016 CU19 instance would not apply the security update. We had to update to CU20 before the KB5001779 would run.
You may get a prompt about services not being stopped, we had three. Be patient and wait for them to disappear from the Task Manager Processes list! They will. Then hit the RETRY button.
The FBI is logging in to compromised Exchange servers to "clean-up web shells" left by the various folks running the now crypto-malware deployment via them.
Recently (as of the original article date), Microsoft Threat Intelligence Center (MSTIC) has attributed previously unknown exploits targeting on-premises Exchange Servers to HAFNIIUM.
From the MS blogCyberAttacks, it is being recognised as a sophisticated three step attack : First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network
There are steps to test and check your vulnerability. Most importantly, make sure you are applying all the security patches. Your first step, is to read this Article, and the various articles listed below. Then follow the suggestions presented below.
Backup Setup
The key to any disaster is knowing that the backup repository is okay. Is it? Has it been tested?
Immutability built-in to the backup setup is critical to having a place to go to if compromised and encrypted. Why? Because the folks running the ransomware processes get in, scope, compromise, and wait until their intelligence gathering is done before _deleting_ the backups and the backup server.
Make sure to set aside the last two weeks of February and the first two weeks of March backups as soon as possible. Get them air-gapped stat!
Verify Edge/Router
Check with the edge/router vendor's security suite to see if and when they updated their signatures to block any Exchange exploit related scans.
SUGGESTION 1: Geo-Limit incoming packets to your geographical region. At least until things have been cleared up.
SUGGESTION 2: Use a cloud based sanitation and continuity provider. With Exchange offline users would still have access to a mailbox. Plus, SMTP inbound would only be from the provider thus eliminating SMTP authorization attacks and most of the bad stuff would never make it inside the network.
Mitigations
If scans show that there were issues, then it's time to delve into the indicated logs.
Create a new Domain Admin account with Schema Admin and Enterprise Admin membership then disable all other domain admin accounts _after_ logging on with the new account.
Have all passwords for user accounts reset.
The PowerShell steps to scan AD for new objects below is key to figuring out if there are any rogue accounts set up after the fact.
Save As "Test-ProxyLogon.ps1" with the quotes in your C:\Temp folder
Run in Exchange Management Shell: .\Test-ProxyLogon.ps1 -OutPath C:\Temp
This is what a good result looks like: NOTE: Make sure to back up the Exchange server _before_ making any changes! That will allow for forensic examination at a later time.
What are the create dates on the .ASPX files that would have been in:
C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\
That would tell you when the initial breach happened. That also gives you the restore point.
Task Scheduler
Verify if there's any rogue tasks in Task Scheduler. Check the usual Registry Run locations for any possible rogue software persistence.
Active Directory Check
Here is some PowerShell to poll your AD for recently added accounts:
# Get user accounts in the Domain Admins Security GroupGet-ADGroupMember "domain admins" -recursive | Select -Expand Name
# Check New User Creation
# C:\Temp needs to exist or change that
$ExportName = "C:\Temp\2021-03-08-UserADCreate.CSV"
Get-ADUser -Filter {Enabled -eq $True} -Property Created,LastLogonDate |
Select-Object -Property Name,SAMAccountName,Created,LastLogonDate |
export-csv "$($ExportName)"
# List all members of local admin group in AD
$ComputerName = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($Computer in $ComputerName) {
Invoke-Command -ComputerName $Computer -ScriptBlock{ Get-LocalGroupMember -Name 'Administrators' }
}
You can tweak the group names for the various local and domain groups to run the above reports.
The Exchange server should be restored to a point in time before the compromise.
If there are partitions for each Exchange component, which is a best practice, then you can use the existing databases/logs partitions when the time comes to "overwrite".
Make sure HTTPS is not forwarded from the Internet to the Exchange server while running this process.
Make sure to run the following in an elevated CMD!
Update the restored Exchange server to the latest Cumulative Update
Run the Exchange Security Update
Forklift Restore
The process we’ve done many times in the past and would be doing if we had to back date restore keeping in mind that our Exchange partition layout is as follows:
C: OS
D: Exchange Program Files
E: Exchange Dbs
F: Exchange Logs
We would:
Close HTTPS and SMTP to Exchange
Restore C: and D: to a date prior to the compromise.
Forklift Recovery (Allow overwrite on Dbs)
Update CU
Update Security
Verify all services
Open SMTP inbound
Test mail in and out
Open HTTPS
Use the following to perform a "Forklift Restore" of the up to date databases:
An Exchange Dial Tone Recovery is an option to get mail flowing after a restore if the mailbox databases are large and will take some time to bring online.
Philip ElderSenior Technical Architect - HA/Compute/Storage
CERTIFIED EXPERT
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
Philip is a Technical Architect specializing in high availability solutions for SMB/SME businesses and hosting companies.
Thanks. I've tested this on a Server 2016 with Exchange 2016 and it appears to work OK. I also need to do this on an Exchange 2010 on SBS 2011. I get this error for both Test-ProxyLogon.ps1 and EOMT. You must provide a value expression on the right-hand side of the '-' operator. The article on https://github.com/microsoft/CSS-Exchange/tree/main/Security does mention needing Powershell 3 to run the script for Exchange 2010. I tried getting Powershell 3 from here https://www.microsoft.com/en-au/download/details.aspx?id=34595 but it will not install and get "The update is not applicable to your computer." I looked this up there are articles stating that WMF 3.0 caused problems on Exchange 2010 and SBS 2011 and advise not to install it. Not that I was able to anyway.
So that can I do then? Thanks.
Philip ElderSenior Technical Architect - HA/Compute/Storage
CERTIFIED EXPERT
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
Comments (4)
Commented:
Commented:
Commented:
I also need to do this on an Exchange 2010 on SBS 2011.
I get this error for both Test-ProxyLogon.ps1 and EOMT.
You must provide a value expression on the right-hand side of the '-' operator.
The article on https://github.com/microsoft/CSS-Exchange/tree/main/Security does mention needing Powershell 3 to run the script for Exchange 2010.
I tried getting Powershell 3 from here https://www.microsoft.com/en-au/download/details.aspx?id=34595 but it will not install and get "The update is not applicable to your computer."
I looked this up there are articles stating that WMF 3.0 caused problems on Exchange 2010 and SBS 2011 and advise not to install it. Not that I was able to anyway.
So that can I do then?
Thanks.
Author
Commented:Exchange 2013+ had four vulnerabilities that could be compromised in order to gain full control of the Exchange server at SYSTEM level.