question

SusanDodds-3538 avatar image
0 Votes"
SusanDodds-3538 asked YukiSun-MSFT commented

cve-2021-27065 exploited

Server 2016, exchange 2016. Earlier Cu at time of attack. Upgraded to Cu19, installed the security patch.

After upgrading to Cu19, I ran Microsoft security scanner, found cve-2021-27065.

The scanner successfully removed it.

What are my next steps?

Is it safe for me to log into the ecp?

office-exchange-server-administrationoffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered SusanDodds-3538 commented

I would read this.
Be sure to purchase and use anti-malware protection on the Exchange Servers


https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/

If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation.


If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions:

Remediate and quarantine them for further investigation unless they are expected customizations in your environment.
Search your IIS logs to identify whether or not the files identified as malicious have been accessed.
Consider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Docs and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.
As part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail

If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

If any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. It is particularly critical if you suspect that your Exchange environment is compromised by a persistent adversary that you coordinate your response using alternative communications channels as mentioned earlier in this document.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The safety scanner only found evidence of cve-2021-27065.

The only IP I could find was ::1.

There was potential evidence of OAB and OWA url manipulation in the log files but the url's have since been set back. I didn't see any change in the OWA URL and the OAB url was set at factory default when I checked it but this was after the newest CU was installed.

I only saw evidence of this in one day at the end of last month.

Ecp log file. Searched for S:CMD=Set-OabVirtualDirectory.ExternalUrl=
IIS log file. Searched for /ecp/DDI/DDIService.svc/SetObject

0 Votes 0 ·

Ok, well I can't tell you if you have any thing else to be concerned about or are still compromised.
I would keep monitoring and get an anti-malware solution installed on the Exchange Server.

0 Votes 0 ·
YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @SusanDodds-3538,

According to the Defender-MSERT-Guidance, "these remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities", so agree with Andy that it's suggested to configure an anti-malware solution and keep monitoring. Besides, you can download a new copy of MSERT often, as updates are made in the tool regularly.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SusanDodds-3538,

Just checked in to follow up with this thread. Please post back at your convenience if we can assist further.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·