Microsoft Guide Describes Exchange Server Indicator of Compromise Testing Tools
The Microsoft Security Response Center team on Tuesday issued "Guidance for Responders," which provides more advice on how organizations can respond to the recent attacks that are leveraging Exchange Server zero-day flaws.
The attacks, attributed to a "Hafnium" nation-state attacker, are exploiting four vulnerabilities (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065) in Exchange Server products. Microsoft issued patches for them back on March 2.
Plenty of advice from Microsoft and others has subsequently poured out since that March 2 patch release. Microsoft's "Guidance for Responders" post is perhaps most noteworthy for including consolidated information on how to check for indicators of compromise.
Organizations have to check for these indicators of compromise because Microsoft's most current patches don't fix already compromised systems. The attackers sometimes dropped Webshells to further exploit compromised networks. Security researchers have found that anti-malware solutions weren't detecting these Webshells.
Microsoft is recommending the use of its Microsoft Defender for Endpoint tool to conduct the forensics, but it also released a few PowerShell tools for organizations lacking that solution or lacking other forensics tooling.
One of those PowerShell investigative tools is the Exchange On-Premises Mitigation Tool. It's for organizations that aren't patch-savvy and are OK with Microsoft's tool making changes. It's also a tool for organizations that may have patched their systems but didn't check for adversary activity. This tool requires an Internet connection to work, though, and it just checks for the CVE-2021-26855 vulnerability, but it also will attempt to repair compromised systems. It's the tool that Microsoft seems to recommend the most, although deemed a temporary mitigation.
For organizations that don't want their systems connecting to the Internet, Microsoft has an alternative tool that checks for indicators of compromise called the "ExchangeMitigations.ps1" script. However, this tool doesn't take any actions to fix things when indicators of compromise are spotted.
A third PowerShell investigative tool is "Test-ProxyLogon.ps1," formerly known as "Test-Hafnium." (ProxyLogon is the name used by some researchers to refer to the use of all four vulnerabilities in attack scenarios.) The Test-ProxyLogon.ps1 script will check Exchange Server and IIS logs for possible activity by an attacker across all four vulnerabilities.
Microsoft also offers a script file (http-vuln-cve2021-26855.nse) for use with Nmap, which can be used to check if a "specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855)." Nmap is a free, open source tool for "network discovery and security auditing," per its description page.
There were about 82,731 vulnerable Exchange Server implementations as of March 11, according to data from cybersecurity firm RiskIQ. That number is down from 400,000 vulnerable servers on March 2. RiskIQ has been working with Microsoft on estimating the exposures.
On Tuesday, Reuters reported that 1,200 Exchange Servers in the Netherlands likely were compromised by the attacks.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.