A series of flaws existed in the independent installation of Microsoft Exchange server, which led to a large-scale network security incident. The installation of hundreds of thousands of Exchange servers was invaded by the hacker organization Hafnium. Krebs on Security reported that a large number of small businesses, towns, cities, and local governments have been infected. Hackers have stolen data and left a Web Shell for further command and control.
In order to quickly help potential victims determine and solve problems, today, Microsoft released new tools and guidelines to help server administrators detect and mitigate threats.
First and most importantly, Microsoft has released an update to the free Exchange server “intrusion indicator” tool, which can be used to scan the log files of Exchange servers to identify whether they have been compromised.
Microsoft has also issued an emergency replacement mitigation guide for administrators who cannot apply the built-in standalone update that Microsoft has released on March 2. However, applying a patch is still the most effective preventive measure. If your server is infected, a comprehensive remediation will be a bigger task.
“So far, we have dealt with dozens of cases, as early as February 28 [before Microsoft announced its patch] and up to now,” said Steven Adair, president of Volexity, who discovered the attack. “Even if you apply the patch on the same day that Microsoft announces the patch, there is still a high probability that a web shell exists on your server. The truth is, if you are running Exchange and you have not patched it, then your network organization It may have been hacked.”
“The best protection is to apply the update to all affected systems as soon as possible,” a Microsoft spokesperson said in a written statement. “We will continue to help customers by providing additional investigations and mitigation guidance. Affected customers should contact our support team for additional help and resources.”