question

StefanFalk-3673 avatar image
0 Votes"
StefanFalk-3673 asked ·

Question about Hafnium-related entry in IIS log file

Hello everybody,

a german customer is running Exchange 2016 and installed CU19 and the Hafnium patch on 2021-03-04. Running the then current version of the Test-Hafnium.ps1 script, which the Exchange team put on GitHub, showed:

"DateTime","AnchorMailbox"
"2021-03-03T08:06:05.126Z","ServerInfo~a]@exchange.customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T11:33:18.593Z","ServerInfo~a]@exchange.customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T13:39:33.153Z","ServerInfo~a]@exchange.customerdomain.de/autodiscover/autodiscover.xml?#"
"2021-03-03T13:39:36.546Z","ServerInfo~a]@exchange.customerdomain.de/mapi/emsmdb/?#"
"2021-03-03T13:39:38.925Z","ServerInfo~a]@exchange.customerdomain.de/ecp/proxyLogon.ecp?#"
"2021-03-03T13:39:42.650Z","ServerInfo~a]@exchange.customerdomain.de/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=-OlNq08-d06AaYApbaSPFtoynh_c39gIS35a8dhtli23cZk8G1r--7R0C8P_ce8LqCfENIZYkg0.&schema=OABVirtualDirectory#"

I would interpret this as the effort to use an eventually already installed Hafnium backdoor, but not as a sign of a successfull attack, neither for the installation of the backdoor nor to a successful exploitation. So there was someone who tried if that server had the backdoor installed, but I feel it was never installed. IIS logs were available down to early January 2021.

Would you agree or is this a sign that the server had been compromized?


office-exchange-server-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZhengqiLou-MSFT avatar image
0 Votes"
ZhengqiLou-MSFT answered ·

Hi @StefanFalk-3673 ,

As the Microsoft Doc explains:
77589-image.png
I think you may got the attack by CVE-2021-26855, as the security update patch has fixed this SSRF vulnerability, I think your Exchange server is safe now.

But it is also suggested to double check the whole system with Safety Scanner(has been provided by Andy above), or apply the mitigation: ExchangeMitigations.ps1.

Regards,
Lou


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (68.1 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

Scan for any known malware from these exploits:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


If you do not find any , that's a pretty good sign that there is no compromise - but they should remain vigilant.
Ensure you have a permanent anti-malware solution

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StefanFalk-3673 avatar image
1 Vote"
StefanFalk-3673 answered ·

Hello Andy and Lou,

Thank you for your valuable input. I wanted to accept both of your postings as answer, but one can only pick one.

We had run all those tools and are confident that the server hasn't been hacked now. Thank you again.

Best Regards,
Stefan

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.