Forum Discussion
Hafnium - Removal of Changes
It looks like we never got any web shells installed
The MS list of suspected .aspx files were not found
Also no zip/7z files in program data
and ran a number of scanners to see if any payloads had been dropped
We're monitoring traffic to and from the server to unknown devices
this is a good resource from FireEye : https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
and Microsoft : https://github.com/microsoft/CSS-Exchange/tree/eda4b387f8cd0f471496b89f0ab7b4ca642db2fd/Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
MS need to publish a more detailed document on detecting and removing the various pieces,
The Test-ProxyLogon.ps1 and other scripts from MS are ok but could provide more information
I think I'm in the same boat as you. No webshells, no suspicious aspx files and no 7z files.
Firstly I ran Test-ProxyLogon.ps1 and it found evidence of CVE-2021-26855 & CVE-2021-27065.
Then I ran BackendCookieMitigation.ps1 (already done the URL Rewrite a little while ago but this does a bit more so let it do it's thing).
I also ran the Microsoft Safety Scanner and it found evidence of Exploit:ASP/CVE-2021-27065.B!dha, it said it removed it and needed a reboot. I'm currently nearly 2hrs through a second pass and it hasn't found anything so far.
What other scanners did you run? Thanks for the heads up on the FireEye link, I'll give that a read. We have CrowdStrike Falcon installed on all machines and I was hoping it would have caught it in time. Seems like it didn't quite get there. I patched this Exchange 2019 server last Wednesday, when Microsoft sent out the emails warning us to fix it or face the consequences. Seems like my suspicious activity happened on 03/03/2021, meaning I patched it the day it happened.
- we ran Test-ProxyLogon.ps1 and installed BackendCookieMitigation.ps1
We also ran SEP and a standalone Sophos scan along with Stinger64 to check for additional packages
Also checked for .aspx and alterations to iisstart and web.config
We have no files in the asp_client folder in inetpub
Also checked the SharedWebConfig.config file in C:\Program Files\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\ as it's referenced in web.config
Where do you find the Microsoft Safety Scanner ?- My SharedWebConfig.config file was last modified 02:04am 04/03/2021, nothing looks untoward and I was patching around this time. What did you look for specifically?
- Same - was checking references to other files elsewhere - ran file comparison software to see what was different if anything in config files, etc
- Its here - https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
I'll take a look at those two scanners, thanks.
So from an organisational point of view, what do you think will be your next steps? I am fairly confident that as I patched the day of the release and the fact that the logs display 04:42am 03/03/2021 - 20:30 03/03/2021 (which is when the server went offline for CU9 installation) that I caught it before too much happened.