question

Jendislav-8353 avatar image
0 Votes"
Jendislav-8353 asked ·

Exchange attack Hafnium

Hello, please can anybody tell me by this log, if my 2 servers had been compromised please? Thank you.
Server log
CVE-2021-26855
"2021-03-03T07:52:03.579Z","ServerInfo~a]@server.domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-04T23:03:44.923Z","ServerInfo~akak]@server.domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T05:37:27.400Z","ServerInfo~akak]@server.domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:51.174Z","ServerInfo~a]@server.domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:44:54.680Z","ServerInfo~a]@server.domain.local:444/autodiscover/autodiscover.xml?#"
"2021-03-05T16:45:32.913Z","ServerInfo~a]@server/autodiscover/autodiscover.xml#"
"2021-03-06T14:55:28.198Z","ServerInfo~burpcollaborator.net/ecp/default.flt?"

office-exchange-server-administration
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Probably. Consider opening a Microsoft support ticket or hiring a security consultant to investigate further:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/


Personally, I would take all the Exchange Servers offline and rebuild them from scratch.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I opened ticket with Microsoft and microsoft told me they can not solve that issue with that type of ticket. You need to have premier support to get them at least start solving that. So Microsoft is not the one who will help you solve this problem.

0 Votes 0 ·
EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered ·

You could run the script here and it will give you the result like following if it's not affected:
75203-3.png



If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



3.png (554 B)
· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I ran that script and got result mentioned in the first post. I updated Excahnge to latest CU and updates meanwhile.

0 Votes 0 ·

But what must we do when the server is infected according to the script?

0 Votes 0 ·
Jendislav-8353 avatar image Jendislav-8353 JaapWesselius-5995 ·

Restore server from backup. Now the first described case using of this vulnerability is on the end of January 2021.
Or pay some external expert who will check your server for you... or find company which has access to premium support (like we are doing now). But you cant be ever sure your system is clear because I think microsoft will not know it as well. There is no enough info about this attack and nobody knows who compromised your system and what he wanna do with that access. I have 2 exchanges comprimised. :(

0 Votes 0 ·

But I'm missing a formal answer from Microsoft what to do. My recommendation is to scratch the server and rebuild, but I'd like hear that from Microsoft.

0 Votes 0 ·