Search
    • Mar 6

Exchange server exploit detected

Microsoft has issued a notice about a security flaw in its Exchange email server. The exploit is called Hafnium and is apparently sponsored by China. Microsoft warns that Hafnium targets, "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."


The exploit works by gaining access to the Exchange server using stolen passwords and then using a web shell to control the server remotely. The exploit is operated from virtual private servers based in the United States. The exploit can make use of PowerShell to export data from an Outlook profile.


Security updates which address the Hafnium vulnerability are available here. Microsoft has also posted a script to Github which can be used to scan log files for signs that an Exchange server has been compromised. See: https://github.com/microsoft/CSS-Exchange/tree/main/Security .


This simple findstr Windows command is recommended to check for signs that Hafnium exploit has infected a server:


findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"


Microsoft also helps businesses and law firms search for signs of the exploit by posting the hash values of the Hafnium web shells that have been found, and the names of the .aspx files used by the web shells. These active server page extended files are used by servers to communicate with a web browser.

    • Mar 5

Don't get hijacked by ACE (or RCE)

Arbitrary code execution (ACE) is a form of cyber attack which allows the attacker to execute code in software or on hardware. Remote code execution (RCE) is an exploit that allows the code to be executed on a network.


ACE can operate by using a flaw in a web browser to act with the same privileges as the user. ACE exploits can turn off security protections or hijack a computer to launch attacks on other computers. An example of an ACE attack is shown here on the site of the Cybersecurity & Infrastructure Security Agency in a report about GE's CIMPLICITY automation software for manufacturing systems.




The vulnerability allows the attacker to extend his or her privileges in the system.










    • Feb 28

Geek Uninstaller

A standard procedure to follow in order to confirm that your PC is not infected with any malware is to remove any toolbars which have been installed. Geek Uninstaller, available for download here, is designed to assist with the removal of programs which cannot be uninstalled by your operating system.


Geek Uninstaller will list both toolbars and all programs installed on your PC.



Third party uninstalling programs like Geek Uninstaller will get rid of folders, shortcuts, registry entries and temporary files that Windows may leave in place.

Sean O'Shea has more than 15 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

 

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

 

This policy is subject to change at any time.

 

Contact Me With Your Litigation Support Questions:

seankevinoshea@hotmail.com

  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with Wix.com