Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Thank everyone for all the help and information this blog has been invaluable! I would love to hear what people are doing for remediation thus far Defender manual full file scans seems to be doing OK but we have not had enough time yet to crosscheck other scanners.
Just a few of our observations:
-This is not nearly as limited or targeted as the security bulletin makes it sound. We are seeing about a 40% infection rate among our SMB client base. I see no reason not to believe 40% of every exchange server in the world was hit.
-If you are seeing ANY suspicious activity with the Hafnium PS check script INCLUDING the SERVERNAME.company.com:444/autodiscover port 444 event; the server is has probably already been backdoored. It has not had a single false positive yet for us with the exception if a few known safe ZIP files in the programdata folder.
-We have one server that we have confirmed infected going back to 2/27/2021... Before the public disclosure.
-Most infection happened with a single incident in the very early morning US hours
-If you remove the backdoor before installing updates hackers will attempt reinfect the server regularly. I suspect that they have an automated check to try to re-infect previously infected hosts. The best way we have found is to disable incoming HTTP/S until the server is updated and cleaned