Mar 07 2021 04:32 AM
Server was patched ASAP on Wednesday but may have been to late
Running the Test-ProxyLogon.ps1 from github gave these results :
-------- -------------
2021-03-05T17:31:05.591Z ServerInfo~a]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:31:06.253Z ServerInfo~a]@abc.com:444/mapi/emsmdb/?#
2021-03-05T17:31:07.191Z ServerInfo~a]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-05T17:31:08.897Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.073Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.649Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:11.840Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:32:04.431Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:32:05.011Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T09:31:03.147Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:49:40.224Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T15:31:51.918Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-06T15:31:52.930Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T15:31:54.373Z ServerInfo~akak]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-06T15:31:57.070Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwHwB
2021-03-06T15:31:58.447Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:31:59.473Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:32:41.780Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-07T01:23:03.269Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T02:28:15.385Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T10:41:00.728Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:31:03.242Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T09:31:03.800Z ServerInfo~<no value>.82a595b7c3182062c44a.d.requestbin.net/ecp/default.flt?
2021-03-06T09:49:40.225Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T19:29:03.303Z ServerInfo~burpcollaborator.net/ecp/default.flt?
2021-03-07T01:23:03.353Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T02:28:15.386Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T10:41:00.730Z ServerInfo~localhost/ecp/default.flt?
Out A/V is up to date and a full scan with that product and additional product showed no infections
How do I clean up and of the IIS / autodiscover changes ?
Steve
Mar 08 2021 02:37 AM
Mar 08 2021 04:17 AM
How did you get on with this? I'm considering building a new server and migrating the mailboxes....
Mar 08 2021 04:40 AM
It looks like we never got any web shells installed
The MS list of suspected .aspx files were not found
Also no zip/7z files in program data
and ran a number of scanners to see if any payloads had been dropped
We're monitoring traffic to and from the server to unknown devices
this is a good resource from FireEye : https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft...
and Microsoft : https://github.com/microsoft/CSS-Exchange/tree/eda4b387f8cd0f471496b89f0ab7b4ca642db2fd/Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log
MS need to publish a more detailed document on detecting and removing the various pieces,
The Test-ProxyLogon.ps1 and other scripts from MS are ok but could provide more information
Mar 08 2021 05:38 AM
I think I'm in the same boat as you. No webshells, no suspicious aspx files and no 7z files.
Firstly I ran Test-ProxyLogon.ps1 and it found evidence of CVE-2021-26855 & CVE-2021-27065.
Then I ran BackendCookieMitigation.ps1 (already done the URL Rewrite a little while ago but this does a bit more so let it do it's thing).
I also ran the Microsoft Safety Scanner and it found evidence of Exploit:ASP/CVE-2021-27065.B!dha, it said it removed it and needed a reboot. I'm currently nearly 2hrs through a second pass and it hasn't found anything so far.
What other scanners did you run? Thanks for the heads up on the FireEye link, I'll give that a read. We have CrowdStrike Falcon installed on all machines and I was hoping it would have caught it in time. Seems like it didn't quite get there. I patched this Exchange 2019 server last Wednesday, when Microsoft sent out the emails warning us to fix it or face the consequences. Seems like my suspicious activity happened on 03/03/2021, meaning I patched it the day it happened.
Mar 08 2021 05:48 AM
Mar 08 2021 05:53 AM
Mar 08 2021 06:05 AM
Mar 08 2021 06:13 AM
Mar 08 2021 06:39 AM
Mar 08 2021 07:22 AM
Same here, I started going the IIS to see if anything was strange while I wait for the Safety Scanner to finish. @WarsT86
Mar 08 2021 07:31 AM
Mar 08 2021 07:39 AM
Mar 08 2021 07:45 AM
Mar 08 2021 07:46 AM
Just special permission to read/list folders, no write access at all. IIS_IUSRS is a built in group. @WarsT86
Mar 08 2021 08:49 AM
Mar 08 2021 10:06 AM
Mine finished and it was clean. Guess I dodged the bullet... Ran a few other scripts that I found on GitHub. Looks like it was attempted but nothing stuck. The HTTP proxy logs just record the attempt if I understand, correct?
I had just locked down everything on our firewall after our migration a month back and put on the latest Malwarebytes and another AV.
Mar 08 2021 10:11 AM
Looks like you have been really lucky. I'm in the process of migrating all the remaining mailboxes to o365 (something we were going to do anyway, 39 left) and building a brand new server at the same time as we are hybrid and still need a physical box. Looking into going fully hosted next, one less thing for me to worry about.
The only port I have open to the world on the compromised server is 443, everything else runs through Mimecast, I thought we would be in a much better position than most, I guess I was wrong, despite patching as soon as the bulletin was released. You can't win them all I guess!
Jul 30 2021 01:26 AM
I don't know if you got this resolved. Had a similar issue and this link solved this.
https://techcommunity.microsoft.com/t5/exchange/autodiscover-infected-with-virus/m-p/2232795
Best regards,
Wikus