LITIGATION SUPPORT TIP OF THE NIGHT

Microsoft has issued a notice about a security flaw in its Exchange email server. The exploit is called Hafnium and is apparently sponsored by China. Microsoft warns that Hafnium targets, "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."

The exploit works by gaining access to the Exchange server using stolen passwords and then using a web shell to control the server remotely. The exploit is operated from virtual private servers based in the United States. The exploit can make use of PowerShell to export data from an Outlook profile.

Security updates which address the Hafnium vulnerability are available here. Microsoft has also posted a script to Github which can be used to scan log files for signs that an Exchange server has been compromised. See: https://github.com/microsoft/CSS-Exchange/tree/main/Security .

This simple findstr Windows command is recommended to check for signs that Hafnium exploit has infected a server:

findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"

Microsoft also helps businesses and law firms search for signs of the exploit by posting the hash values of the Hafnium web shells that have been found, and the names of the .aspx files used by the web shells. These active server page extended files are used by servers to communicate with a web browser.

Arbitrary code execution (ACE) is a form of cyber attack which allows the attacker to execute code in software or on hardware. Remote code execution (RCE) is an exploit that allows the code to be executed on a network.

ACE can operate by using a flaw in a web browser to act with the same privileges as the user. ACE exploits can turn off security protections or hijack a computer to launch attacks on other computers. An example of an ACE attack is shown here on the site of the Cybersecurity & Infrastructure Security Agency in a report about GE's CIMPLICITY automation software for manufacturing systems.

The vulnerability allows the attacker to extend his or her privileges in the system.

A standard procedure to follow in order to confirm that your PC is not infected with any malware is to remove any toolbars which have been installed. Geek Uninstaller, available for download here, is designed to assist with the removal of programs which cannot be uninstalled by your operating system.

Geek Uninstaller will list both toolbars and all programs installed on your PC.

Third party uninstalling programs like Geek Uninstaller will get rid of folders, shortcuts, registry entries and temporary files that Windows may leave in place.