A state-sponsored attack was launched targeting on-premises Exchange servers. This vulnerability has caught a lot of Microsoft Exchange server clients off guard. While Microsoft has released a patch to mitigate to this vulnerability, we can’t deny the fact that this security flaw has already been exploited by numerous criminal organization – developing into a new ransomware attack and other potential malicious activities. See initial Microsoft blog.
Below are steps business and technical owners need to perform to ensure that their environment is safe from attackers:
Patch all on-premises Exchange servers at once. You may check the appropriate patch for your Exchange Server version here.
Alternatively, you can run the Exchange On-premises Mitigation Tool (EOMT). EOMT.ps1 is a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation.
Run the Microsoft Safety Scanner in Full Scan mode. This is a portable tool designed to find and remove malware from Windows computers.
Scan Exchange log files for indicators of compromise. CVE-2021-26858 exploitation can be detected via the Exchange log files:
Block known Hafnium web shell hashes. Microsoft has released a feed of web shell hashes that you can add in your enterprise Anti-Virus and apply a global policy to block it.
Scan for suspicious files. Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.