When four zero-day vulnerabilities* within Microsoft Exchange were revealed in early March this year, the news came with a sense of urgency – the vulnerabilities were already being actively used and exploited by malicious threat actors in the wild.
The urgent message warned every organisation using Microsoft Exchange to patch their on-premise servers immediately and to scan their networks for signs of malicious activity.
The exploitations seen in the wild were first attributed to a nation state actor dubbed HAFNIUM, but the vulnerabilities and attacks have colloquially become known as “ProxyLogon” in reference to the main vulnerability of the zero-days involved.
Cybersecurity firm, Sophos, has published several alerts highlighting the threats DearCry and Black KingDom ransomware and a malicious Monero cryptominer actively exploiting the vulnerabilities.
A combination of these four vulnerabilities can lead to easy exploitation of your Exchange and according to Sophos Managed Threat Response senior director Matt Gangwer.
“Given the broad installation of Exchange and its exposure to the internet, these vulnerabilities should not be taken lightly. Ensuring your organisation can identify and respond to the suspected vulnerabilities is crucial.”
“As a customer or partner using on-prem Exchange, the best course of action may be to assume that this has impacted your organisation.”
If they haven’t already done so, organisations should follow these steps:
1. Patch or disable
Patch all on-premise Microsoft Exchange servers in your environment with the relevant security update. Details can be found on Microsoft’s Exchange Team blog.
If you are unable to patch, Microsoft provides a succinct mitigation tool (Exchange On-Premise Mitigation Tool) that’s available on GitHub via: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Sophos recommends you back up Exchange IIS/Server logs before patching and updating to maintain any forensic evidence that would indicate a successful exposure of your environment.
2. Determine possible exposure
Download and run the Test-ProxyLogon.ps1 script provided by Microsoft to determine possible exposure.
It is important to note that even with the patches installed, this will not address the presence of any malicious web shells. This is why the use of Microsoft’s script to identify affected servers and look for the presence of web shells is recommended.
Test-ProxyLogon.ps1 can output multiple .csv files per Exchange server, depending on what it finds. These .csv files can be viewed in a text editor or spreadsheet application.
The script will look for evidence of each vulnerability being abused, creating a .csv per CVE. It will also look for suspicious files (which may be web shells), which should be reviewed and calculate how many days back in the logs it can identify potential abuse of the vulnerabilities.
3. Look for web shells or other suspicious .aspx files
Many security products that provide protection for Microsoft server platforms (including the use of Exchange) can accurately identify the presence of these persistence mechanisms (web shells) and quarantine them and provide clear guidance on their removal. Deploy and scan your Exchange systems immediately.
4. Determine exposure and plan next steps
If you uncovered suspicious activity, plan your next steps, which could include acquiring help from a third-party forensics firm to do a deeper analysis or incident response.
Conducting investigations in the wake of major incidents like this requires time and expertise. For many organisations, being able to be certain there is no adversarial activity in their network is simply out of the scope of their team’s capabilities.
For an expert team to watch over your network 24/7, identifying, investigating, and responding to threats that have evaded your defences, Sophos Managed Threat Response can help.
*The four vulnerabilities (CVEs) affecting Microsoft Exchange are:
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27605