HAFNIUM - Exchange server 2016 mitigation and recommendation

%3CLINGO-SUB%20id%3D%22lingo-sub-2204693%22%20slang%3D%22en-US%22%3EHAFNIUM%20-%20Exchange%20server%202016%20mitigation%20and%20recommendation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204693%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20one%20customer%20where%20Test-ProxyLogon%20script%20found%20some%20suspicious%20activity.%3C%2FP%3E%3CP%3EWebshell%20.aspx%20files%2C%20and%20backdoor%20.dll%20.NET%20files%20were%20also%20found.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20immidiately%20installed%20CU19%20%2B%20security%20patch%2C%20started%20windows%20Defender%20scaning%20who%20found%20and%20deleted%20all%20those%20.aspx%20and%20.dll%20files.%20Customer%20also%20blocked%20access%20from%20internet%20to%20exchange%20services.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20recommendations%20for%20next%3F%3C%2FP%3E%3CP%3EAre%20those%20exchange%20servers%20safe%20after%20deleting%20those%20files%3F%20Should%20they%20unblock%20internet%20access%20to%20exchange%20services%3F%3C%2FP%3E%3CP%3EIs%20there%20any%20more%20mitigation%20step%20we%20should%20do%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2204693%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2205553%22%20slang%3D%22en-US%22%3ERe%3A%20HAFNIUM%20-%20Exchange%20server%202016%20mitigation%20and%20recommendation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2205553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F191277%22%20target%3D%22_blank%22%3E%40cickozg%3C%2FA%3E%26nbsp%3BI%20found%20one%20Exchange%20Server%2C%20which%20had%20a%20little%20bit%20more%20evidence%20of%20being%20attacked%20besides%20only%20being%20scanned%20for%20the%20vulneribility.%3C%2FP%3E%3CP%3EThere%20where%20no%20files%20on%20that%20server%2C%20only%20an%20obfuscated%20command%20line%20in%20one%20of%20the%20autodiscover%20logs%20invoking%20the%20Exchange%20servers%20name%20and%20the%20names%20of%20the%20Domain%20controllers.%3C%2FP%3E%3CP%3ESo%20I%20decided%20to%20roll%20back%20Exchange%20server%20from%20a%20backup%20(excluding%20the%20mailbox%20databases)%2C%20which%20worked%2C%20and%20the%20Domain%20controllers%20(which%20worked%20not%20due%20to%20time%20constraints%20and%20the%20limited%20capabilites%20to%20select%20only%20the%20system%20drive%20for%20restore%20in%20the%20backup%20software).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20you%20had%20more%20evidence%2C%20restoring%20the%20Exchange%20server%20to%20an%20earlier%20version%20(from%20before%20the%20attack)%20or%20performing%20a%20clean%20reinstall%20would%20be%20the%20minimum%20you%20should%20do.%20And%20this%20might%20not%20be%20enough%2C%20since%20you%20cannot%20know%2C%20if%20the%20hacker%20planted%20more%20backdoors%20in%20your%20network%20somewhere.%3C%2FP%3E%3CP%3EThere%20is%20this%20beautiful%20fact%2C%20that%20the%20Exchange%20Trusted%20Subsystems%20group%20which%20contains%20the%20computer%20account%20of%20the%20Exchange%20Servers%20is%20member%20of%20the%20builtin%20Administrators%20group%20in%20the%20domain%2C%20granting%20a%20huge%20level%20of%20access%20to%20all%20member%20systems%2C%20so%20no%2C%20you%20cannot%20be%20sure%20that%20you%20are%20safe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20greetings%20from%20Germany%3C%2FP%3E%3CP%3EOlaf%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

Hello,

 

we have one customer where Test-ProxyLogon script found some suspicious activity.

Webshell .aspx files, and backdoor .dll .NET files were also found.

 

We immidiately installed CU19 + security patch, started windows Defender scaning who found and deleted all those .aspx and .dll files. Customer also blocked access from internet to exchange services.

 

What are recommendations for next?

Are those exchange servers safe after deleting those files? Should they unblock internet access to exchange services?

Is there any more mitigation step we should do?

1 Reply

@cickozg I found one Exchange Server, which had a little bit more evidence of being attacked besides only being scanned for the vulneribility.

There where no files on that server, only an obfuscated command line in one of the autodiscover logs invoking the Exchange servers name and the names of the Domain controllers.

So I decided to roll back Exchange server from a backup (excluding the mailbox databases), which worked, and the Domain controllers (which worked not due to time constraints and the limited capabilites to select only the system drive for restore in the backup software).

 

Since you had more evidence, restoring the Exchange server to an earlier version (from before the attack) or performing a clean reinstall would be the minimum you should do. And this might not be enough, since you cannot know, if the hacker planted more backdoors in your network somewhere.

There is this beautiful fact, that the Exchange Trusted Subsystems group which contains the computer account of the Exchange Servers is member of the builtin Administrators group in the domain, granting a huge level of access to all member systems, so no, you cannot be sure that you are safe.

 

Best greetings from Germany

Olaf