First Response to the Exchange Hack

This past January, a security company called Volexity discovered a running attack (blog) on Microsoft Exchange servers (Microsoft blog). The attack was labeled Hafnium and has been attributed to a an Asian state-sponsored threat actor. The patch was published 2 March, it seems the more widespread attack started around 23 February. Since 4 March we are seeing cybercrime threat actors probing for the bugs and using them for themselves.

Microsoft published a good set of tools to check whether an Exchange server has been compromised (Link). As a lot of white-hat scanners are running through the internet searching for vulnerable servers, the „Test-ProxyLogon.ps1“ script will find a lot of false positives. The „CompareExchangeHashes.ps1“ script may also produce false positives if there is no baseline file for your exchange version available. Microsoft updates these scripts by time – so use all the scripts available. Finally analyse the outputs of these scripts carefully – if you are unsure: better safe that sorry – ask a security consultant to check the script logs for you. If one of these scripts finds a problem, the following step-by-step First Response Guideline may help:

1. Cut the internet connection for your Exchange server(s) and ensure e-mails are queued upstream
2. Stop your log rotation (do not delete any old logs in your company anymore)
3. Stop your backup rotation (do not delete any old backups in your company anymore)
4. Backup your current (compromised) Exchange server (securing evidence) and hand it over to a DFIR consultant for a forensic investigation
5. Identify the time of compromise (the MS scripts will show it easily)
6. Restore the system partition of your Exchange server using a backup made before the compromise (ideally go back a few days more, please do not use a backup before your last major upgrade)
7. Remount the current mailbox partition into your restored Exchange server
8. Patch the Exchange server with all available patches
9. Deactivate all forward rules. Reactive forward rules to external addresses only after careful review.
10. Sometime the attackers changed the configuration of the virtual directories. This is stored in your AD. Please use the script ConfigureExchangeURLs.ps1/GetExchangeURLs.ps1 (github.com) to check the configuration of your virtual directories. If something is not correct, edit your configuration accordingly.
11. For some extra good measure: Run the free and portable MS tool to scan for webshells (link).
12. For some extra good measure: Double check if „Exchange Patch KB5000871“ is in the list of installed updates. BTW: installing KB4602269 is also a good idea, but not sufficient.
13. Restart emergency e-mail operations (your users will have lost nearly no e-mails)
14. Check your network for „lateral movement“ or a deeper compromise. Your SOC should be able to help you there, otherwise enlist DFIR help. Use your logs. Answer the question: Was there a compromise of any other servers on your network? If the answer is yes: Now you urgently need a DFIR specialist! Your network has to be cleaned or set up from scratch – depending on the level of compromise and whatever is easier to do.
15. Identify the data stolen from your Exchange. Your logs, your SOC, or a DFIR expert may help.
16. Improve the log settings on your Exchange server and your DCs. Establish a monitoring process if not already in place. Your SOC knows best, Corporate Trust or another DFIR companies may help. An emergency solution is to buy ATP licenses and bring out Sysmon and an Advanced Audit Policy (available from us).
17. Check your notification duties with your lawyer.
18. Ensure that you have an always current offline backup, just in case that a ransomware attack will follow.
19. Set up awareness trainings for so-called Business E-mail Compromise (Payment Diversion Fraud, Fake President, Fake CEO). The stolen e-mails will make these types of fraud attacks a lot easier for the perpetrators. We expect a wave of Phishing coming in (CT blogpost).
20. Discuss with your business division how serious of a problem the stolen data may pose in the hands of an Asian government or a competitor.

If you have any further questions, just contact us.

Ph. +49 (89) 599 88 75 80

Last update: 16.03.2021 19:57