A series of flaws in stand-alone installations of Microsoft Exchange server has seen several hundreds of thousands of installations of Exchange Server being compromised by Chinese hacker group Hafnium.
Krebs on Security reports that a significant number of small businesses, towns, cities and local governments have been infected, with the hackers leaving behind a web shell for further command and control.
Today Microsoft has released new tools and guidance to help server admins detect and mitigate against the threat.
Microsoft has released an update for its free Exchange server Indicators of Compromise tool that can be used to scan Exchange server log files to identify whether they are compromised.
Microsoft also released emergency alternative mitigation guidance for admins who are unable to apply the out-of-band updates Microsoft has already released on the 2nd of March. Applying the patches remains the most effective prevention however, though if your server is infected full remediation will be a much bigger job.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” said Volexity President Steven Adair, who discovered the attack . “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”