HAFNIUM - Exchange server 2016 mitigation and recommendation

cickozg I found one Exchange Server, which had a little bit more evidence of being attacked besides only being scanned for the vulneribility.

There where no files on that server, only an obfuscated command line in one of the autodiscover logs invoking the Exchange servers name and the names of the Domain controllers.

So I decided to roll back Exchange server from a backup (excluding the mailbox databases), which worked, and the Domain controllers (which worked not due to time constraints and the limited capabilites to select only the system drive for restore in the backup software).

Since you had more evidence, restoring the Exchange server to an earlier version (from before the attack) or performing a clean reinstall would be the minimum you should do. And this might not be enough, since you cannot know, if the hacker planted more backdoors in your network somewhere.

There is this beautiful fact, that the Exchange Trusted Subsystems group which contains the computer account of the Exchange Servers is member of the builtin Administrators group in the domain, granting a huge level of access to all member systems, so no, you cannot be sure that you are safe.

Best greetings from Germany

Olaf