{"id":5007,"date":"2021-03-15T02:22:54","date_gmt":"2021-03-15T02:22:54","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=5007"},"modified":"2021-03-16T23:05:10","modified_gmt":"2021-03-16T23:05:10","slug":"exchange-0-day-exploit","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/exchange-0-day-exploit","title":{"rendered":"Exchange 0 Day Exploit"},"content":{"rendered":"<div dir=\"auto\"><strong>Partial mitigation for clients unable to patch immediately:<\/strong><\/div><div dir=\"auto\">\u00a0<\/div><div dir=\"auto\">https<a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">:\/\/msrc-<\/a><a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/<\/a><\/div><div dir=\"auto\">\u00a0<\/div><div dir=\"auto\"><div dir=\"auto\"><strong>Microsoft has released a script to assist in checking for signs of being compromised by the recent exchange vulnerabilities:<\/strong><\/div><div dir=\"auto\">\u00a0<\/div><div dir=\"auto\">https<a id=\"LPlnk524762\" href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/03\/06\/microsoft-ioc-detection-tool-exchange-server-vulnerabilities\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/03\/06\/microsoft-ioc-detection-tool-exchange-server-vulnerabilities<\/a><\/div><\/div><div dir=\"auto\">\u00a0<\/div><div dir=\"auto\"><strong>Nmap Check<\/strong><\/div><div dir=\"auto\"><p class=\"x_MsoNormal\">There is a method to check whether a recently patched (or unknown) server is vulnerable to the SSRF exploit.<\/p><p class=\"x_MsoNormal\">Please run this procedure for each of your assigned clients, either that have been or not patched, we MUST ensure they are not vulnerable, even if we think we applied the patch.\u00a0<\/p><ul type=\"disc\"><li class=\"x_MsoListParagraph\">Jump on a util machine inside customer network, or whatever machine as long as it is internal.<\/li><li class=\"x_MsoListParagraph\">Download nmap from nmap website and install with default settings<\/li><li class=\"x_MsoListParagraph\">Download nse script from Microsoft\u00a0<a href=\"https:\/\/github.com\/microsoft\/CSS-Exchange\/releases\/latest\/download\/http-vuln-cve2021-26855.nse\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/github.com\/microsoft\/CSS-Exchange\/releases\/latest\/download\/http-vuln-cve2021-26855.nse<\/a><\/li><li class=\"x_MsoListParagraph\">Move nse script file just download under c:\\program files (386)\\nmap\\scripts<\/li><li class=\"x_MsoListParagraph\">Open nmap<\/li><li class=\"x_MsoListParagraph\">In the Command filed type: nmap -sV -p 443 &#8211;script=http-vuln-cve2021-26855 -script-args vulns.showall IPOFTHEEXCHANGESERVER<\/li><\/ul><img loading=\"lazy\" decoding=\"async\" width=\"1229\" height=\"69\" class=\"alignnone size-full wp-image-5012  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9dec63c.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9dec63c.png 1229w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9dec63c-300x17.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9dec63c-1024x57.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9dec63c-768x43.png 768w\" sizes=\"auto, (max-width: 1229px) 100vw, 1229px\" \/><p class=\"x_MsoNormal\">You must confirm it says \u201cNOT VULNERABLE\u201d<\/p><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"304\" class=\"alignnone size-full wp-image-5011  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9d38458.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9d38458.png 811w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9d38458-300x112.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9d38458-768x288.png 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><p class=\"x_MsoNormal\">Example of vulnerable server:<\/p><img loading=\"lazy\" decoding=\"async\" width=\"1086\" height=\"318\" class=\"alignnone size-full wp-image-5013  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9ee7bef.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9ee7bef.png 1086w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9ee7bef-300x88.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9ee7bef-1024x300.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8c9ee7bef-768x225.png 768w\" sizes=\"auto, (max-width: 1086px) 100vw, 1086px\" \/><\/div><p class=\"x_MsoNormal\">\u00a0<\/p><p><strong>What to do if your compromised<\/strong><\/p><ul type=\"disc\"><li class=\"x_MsoListParagraph\">Reset of all users\u2019 account. ALL of them. Service accounts and administrator included.<\/li><li class=\"x_MsoListParagraph\">Review of all new users added\/remove\/edited during the last 2 weeks as well as security group change made.<\/li><li class=\"x_MsoListParagraph\">Immediate isolation of Exchange server (If server is exploited, full access is possible). Creation of a fresh Exchange, migrate mailboxes off the old Exchange (for this I invoke the Exchange experts). Burn the old Exchange server.<\/li><li>Restore from Backup<\/li><\/ul><p>&nbsp;<\/p><ul type=\"disc\"><li class=\"x_MsoListParagraph\">This repo contains all the hashes of the files you are supposed to have in Exchange. If something is different, consider the installation compromised.\u00a0<a href=\"https:\/\/github.com\/nccgroup\/Cyber-Defence\/tree\/master\/Intelligence\/Exchange\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/github.com\/nccgroup\/Cyber-Defence\/tree\/master\/Intelligence\/Exchange<\/a><\/li><li class=\"x_MsoListParagraph\">This repo has a ps1 script which will go through log\/files to see whether there are indicator of compromise\u00a0<a href=\"https:\/\/github.com\/microsoft\/CSS-Exchange\/tree\/main\/Security\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/github.com\/microsoft\/CSS-Exchange\/tree\/main\/Security<\/a><\/li><li class=\"x_MsoListParagraph\">This is provided by Microsoft\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/safety-scanner-download\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/safety-scanner-download<\/a><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" width=\"645\" height=\"314\" class=\"alignnone size-full wp-image-5018  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8e850daef.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8e850daef.png 645w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604a8e850daef-300x146.png 300w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\" \/><\/p><p class=\"x_MsoNormal\">If you install the patch by downloading the patch and just double clicking on it, the patch will install but\u00a0<b><u>not<\/u><\/b>\u00a0fix the vulnerability because exchange services are still running, and it can\u2019t replace the files.<\/p><p class=\"x_MsoNormal\">\u00a0<\/p><p class=\"x_MsoNormal\">See the known issues section. This also has a known side effect of leaving some services disabled.<\/p><p class=\"x_MsoNormal\"><a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/support.microsoft.com\/en-us\/topic\/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b<\/a><\/p><p class=\"x_MsoNormal\">\u00a0<\/p><p>&nbsp;<\/p><p class=\"x_MsoNormal\">Microsoft released patches for older\/unsupported Exchange CU\u2019s to help customers securing their servers faster:<\/p><p class=\"x_MsoNormal\">\u00a0<\/p><p class=\"x_MsoNormal\"><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/march-2021-exchange-server-security-updates-for-older-cumulative\/ba-p\/2192020\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/march-2021-exchange-server-security-updates-for-older-cumulative\/ba-p\/2192020<\/a><\/p><p class=\"x_MsoNormal\">\u00a0<\/p><p><img loading=\"lazy\" decoding=\"async\" width=\"1014\" height=\"181\" class=\"alignnone size-full wp-image-5022  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604ec4e8ea3d9.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604ec4e8ea3d9.png 1014w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604ec4e8ea3d9-300x54.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_604ec4e8ea3d9-768x137.png 768w\" sizes=\"auto, (max-width: 1014px) 100vw, 1014px\" \/><\/p><p class=\"x_MsoNormal\">\u00a0<\/p><p><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"380\" class=\"alignnone size-full wp-image-5037  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a29457c.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a29457c.png 728w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a29457c-300x157.png 300w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/p><p>Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread\u00a0<a href=\"https:\/\/thehackernews.com\/2021\/03\/microsoft-exchange-cyber-attack-what-do.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">ProxyLogon Exchange Server<\/a>\u00a0cyberattacks.<\/p><p>Called Exchange On-premises Mitigation Tool (<a href=\"https:\/\/github.com\/microsoft\/CSS-Exchange\/tree\/main\/Security#exchange-on-premises-mitigation-tool-eomt\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">EOMT<\/a>), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/safety-scanner-download\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">Microsoft Safety Scanner<\/a>\u00a0for any deployed web shells, and attempt to remediate the detected compromises.<\/p><p>&#8220;This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch\/update process or who have not yet applied the on-premises Exchange security update,&#8221; Microsoft\u00a0<a href=\"https:\/\/msrc-blog.microsoft.com\/2021\/03\/15\/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">said<\/a>.<\/p><p>The development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors \u2014 most of the government-backed cyberespionage groups \u2014 to plant backdoors, coin miners, and\u00a0<a href=\"https:\/\/thehackernews.com\/2021\/03\/icrosoft-exchange-ransomware.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">ransomware<\/a>, with the release of\u00a0<a href=\"https:\/\/thehackernews.com\/2021\/03\/proxylogon-exchange-poc-exploit.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">proof-of-concept<\/a>\u00a0(PoC) fueling the hacking spree even further.<\/p><p>Based on telemetry from\u00a0<a href=\"https:\/\/www.riskiq.com\/blog\/external-threat-management\/microsoft-exchange-server-landscape\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">RiskIQ<\/a>, 317,269 out of 400,000 on-premises Exchange Servers globally have been patched as of March 12, with the U.S., Germany, Great Britain, France, and Italy leading the countries with vulnerable servers.<\/p><p>Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has\u00a0<a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-062a\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">updated<\/a>\u00a0its guidance to detail as many as seven variants of the\u00a0<a href=\"https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/global\/en\/current-threats\/pdfs\/rpt-china-chopper.pdf\" target=\"_blank\" rel=\"noopener noreferrer\" data-auth=\"NotApplicable\">China Chopper<\/a>\u00a0web shell that are being leveraged by malicious actors.<\/p><p><img loading=\"lazy\" decoding=\"async\" width=\"728\" height=\"347\" class=\"alignnone size-full wp-image-5038  img-responsive\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a333178.png\" alt=\"\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a333178.png 728w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2021\/03\/img_605139a333178-300x143.png 300w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/p>","protected":false},"excerpt":{"rendered":"<p>Partial mitigation for clients unable to patch immediately:\u00a0https:\/\/msrc-blog.microsoft.com\/2021\/03\/05\/microsoft-exchange-server-vulnerabilities-mitigations-march-2021\/\u00a0Microsoft has released a script to assist in checking for signs of being compromised by the recent exchange vulnerabilities:\u00a0https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/03\/06\/microsoft-ioc-detection-tool-exchange-server-vulnerabilities\u00a0Nmap CheckThere [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5007","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=5007"}],"version-history":[{"count":7,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5007\/revisions"}],"predecessor-version":[{"id":5039,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/5007\/revisions\/5039"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=5007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=5007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=5007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}