Exchange server exploit detected
Microsoft has issued a notice about a security flaw in its Exchange email server. The exploit is called Hafnium and is apparently sponsored by China. Microsoft warns that Hafnium targets, "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs."
The exploit works by gaining access to the Exchange server using stolen passwords and then using a web shell to control the server remotely. The exploit is operated from virtual private servers based in the United States. The exploit can make use of PowerShell to export data from an Outlook profile.
Security updates which address the Hafnium vulnerability are available here. Microsoft has also posted a script to Github which can be used to scan log files for signs that an Exchange server has been compromised. See: https://github.com/microsoft/CSS-Exchange/tree/main/Security .
This simple findstr Windows command is recommended to check for signs that Hafnium exploit has infected a server:
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
Microsoft also helps businesses and law firms search for signs of the exploit by posting the hash values of the Hafnium web shells that have been found, and the names of the .aspx files used by the web shells. These active server page extended files are used by servers to communicate with a web browser.