Forum Discussion
Hafnium - Removal of Changes
Server was patched ASAP on Wednesday but may have been to late
Running the Test-ProxyLogon.ps1 from github gave these results :
-------- -------------
2021-03-05T17:31:05.591Z ServerInfo~a]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:31:06.253Z ServerInfo~a]@abc.com:444/mapi/emsmdb/?#
2021-03-05T17:31:07.191Z ServerInfo~a]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-05T17:31:08.897Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.073Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.649Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:11.840Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:32:04.431Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:32:05.011Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T09:31:03.147Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:49:40.224Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T15:31:51.918Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-06T15:31:52.930Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T15:31:54.373Z ServerInfo~akak]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-06T15:31:57.070Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwHwB
2021-03-06T15:31:58.447Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:31:59.473Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:32:41.780Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-07T01:23:03.269Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T02:28:15.385Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T10:41:00.728Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:31:03.242Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T09:31:03.800Z ServerInfo~<no value>.82a595b7c3182062c44a.d.requestbin.net/ecp/default.flt?
2021-03-06T09:49:40.225Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T19:29:03.303Z ServerInfo~burpcollaborator.net/ecp/default.flt?
2021-03-07T01:23:03.353Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T02:28:15.386Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T10:41:00.730Z ServerInfo~localhost/ecp/default.flt?
Out A/V is up to date and a full scan with that product and additional product showed no infections
How do I clean up and of the IIS / autodiscover changes ?
Steve
18 Replies
I don't know if you got this resolved. Had a similar issue and this link solved this.
https://techcommunity.microsoft.com/t5/exchange/autodiscover-infected-with-virus/m-p/2232795
Best regards,
Wikus
How did you get on with this? I'm considering building a new server and migrating the mailboxes....
It looks like we never got any web shells installed
The MS list of suspected .aspx files were not found
Also no zip/7z files in program data
and ran a number of scanners to see if any payloads had been dropped
We're monitoring traffic to and from the server to unknown devices
this is a good resource from FireEye : https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
and Microsoft : https://github.com/microsoft/CSS-Exchange/tree/eda4b387f8cd0f471496b89f0ab7b4ca642db2fd/Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
MS need to publish a more detailed document on detecting and removing the various pieces,
The Test-ProxyLogon.ps1 and other scripts from MS are ok but could provide more information
I think I'm in the same boat as you. No webshells, no suspicious aspx files and no 7z files.
Firstly I ran Test-ProxyLogon.ps1 and it found evidence of CVE-2021-26855 & CVE-2021-27065.
Then I ran BackendCookieMitigation.ps1 (already done the URL Rewrite a little while ago but this does a bit more so let it do it's thing).
I also ran the Microsoft Safety Scanner and it found evidence of Exploit:ASP/CVE-2021-27065.B!dha, it said it removed it and needed a reboot. I'm currently nearly 2hrs through a second pass and it hasn't found anything so far.
What other scanners did you run? Thanks for the heads up on the FireEye link, I'll give that a read. We have CrowdStrike Falcon installed on all machines and I was hoping it would have caught it in time. Seems like it didn't quite get there. I patched this Exchange 2019 server last Wednesday, when Microsoft sent out the emails warning us to fix it or face the consequences. Seems like my suspicious activity happened on 03/03/2021, meaning I patched it the day it happened.
- Try running the Microsoft Safety Scanner
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
