question

JSSCGY-9407 avatar image
0 Votes"
JSSCGY-9407 asked HieuCao-5321 commented

Exchange Server Vulnerability - Still Having Issues after all Patch and CU20 Updates

Hello everyone,

As per Microsoft Recommendations, we already installed all security patches earlier in the March and installed CU 20 updates. Here are the details about our issues. Any help on this will be appreciated:

Issue: High CPU utilization due to cmd.exe process

Exchange 2016 Standard

Work done so far:
All patches installed, CU 20 installed, Performed multiple scan with Microsoft Safety Scanner, every time it finds and remove "Backdoor:MSIL/Chopper.F!dha " but next day same issue occurs

Opened CMD.exe file with process explorer today and found following scripts:
C:\Windows\System32\cmd.exe -o 95.216.46.125:443 -u 44EspGiviPdeZSZyX1r3R9RhpGCkxYACEKUwbA4Gp6cVCzyiNeB21STWYsJZYZeZt63JaUn8CVxDeWWGs3f6XNxGPtSuUEX -k --tls -p MOON

Also ran Exchange Mitigation Tool and it did not found anything.

office-exchange-server-administrationwindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We just got hit with this as well. Fully patched Exchange 2016.

That said, Microsoft did put out a new cumulative update this morning for both Exchange 2016 and Exchange 2019.
https://docs.microsoft.com/en-us/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

Ladies and gentlemen, get to patching!

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered LucasLiu-MSFT commented

Hi @JSSCGY-9407 ,
Are there any Exchange functions that are not working properly?

According to my research on "Backdoor:MSIL/Chopper.F!dha ", I found that this is a security issue about Windows server, not specific to Exchange. I can provide limited help. So I help you add a "Windows-server-security" tag, which will bring in professional engineers to help you.

Based on my research on this issue, I recommend that you upgrade your Windows server to the latest version and install the relevant Security update. Then you could scan your PC by using Microsoft Defender. In addition, if all the methods cannot be solved, reinstalling the Windows system will be our last choice.
For more information you could refer to: Troubleshoot problems with detecting and removing malware



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi LucasLiu-MSFT,

Thanks for your response.

Exchange functions on the server are working fine. During our initials scans in March all malicious .aspx files were removed with Microsoft safety scanner.

We have Exchange 2016 Std. running on Windows Server 2016 Std and this server is up with date with Windows Patches and CU20 latest updates for Exchange 2016.

With Microsoft Safety Scanner, it detects and remove ""Backdoor:MSIL/Chopper.F!dha" but same issue appear after few hours.

0 Votes 0 ·

Hi @JSSCGY-9407 ,
As I mentioned above, this security issue not specific to Exchange server, and this malicious file is not involved in the latest Exchange security patch.
According to the article provide above, for malware keeps coming baack, it is recommended that you use Windows Defender Offline to scan. Please refer to: Help protect my PC with Microsoft Defender Offline



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




0 Votes 0 ·
OrhanYILDIRIM-1505 avatar image
0 Votes"
OrhanYILDIRIM-1505 answered

Hi @JSSCGY-9407,

The same is happening to me. Did you find a solution?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dyna-3691 avatar image
0 Votes"
dyna-3691 answered

Same problem on 2 exchange 2016 servers for 2 customers. Seems to be only happening on 2016. Customers with 2019 and even one with an old 2013 install have no problems.

After killing the mining process and running MSERT it's always Chopper.F!dha that is found. But a few hours later it just comes back
Every form of patch/mitigation has been tried, as well as all possible versions of the nmap checks but they all say it's safe. But it just isn't.

The first customer was migrated to 2019 and the problem stopped as soon as internet access port 443 was changed from the 2016 server to the 2019, so pretty sure it's remotely triggered.

Saying it's not an exchange problem but a windows server problem is cute, but the only reason these servers have IIS installed is because of exchange and not running anything else on it. It seems that microsoft just didn't fix it enough on exchange 2016.
I guess they like to sell 2019 but upgrading is not always an option, upgrading the second customer will probably be a lot harder. A real fix would be nice.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreaSoc-5825 avatar image
0 Votes"
AndreaSoc-5825 answered BruceRogers-0591 commented

i have the same problem with Exchange 2013, found some backdoor and Trojan..

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are experiencing this exact problem on a fully patched 2019 server running Exchange 2019

I appreciate the comments, but on what planet is "Reinstall the Windows system" ever a practical answer.

During the pandemic we have lots of users reliant on web mail. Does remapping port 443 add some friction to this attack?

Thanks

1 Vote 1 ·
cb27-2581 avatar image
0 Votes"
cb27-2581 answered cb27-2581 edited

We have to remember that there was a gap of 55 days between the earliest detected exploits in January and Microsoft releasing any patches in March.

During this window, the miscreants deployed their webshells - many of which remain undetected by security software. These are now being used to launch data exfiltration and/or ransomware operations.

We're about to wipe and redeploy ourselves. Fully patched Windows Server and Exchange 2019.

I'm more curious to know why On-Premises Exchange was vulnerable but Online Exchange wasn't. A cynic might say it's to "encourage" migration to subscription services...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

08211143 avatar image
0 Votes"
08211143 answered 08211143 edited

P.S. I just want to confirm that after almost a week no infections are detected by MSERT and Defender. So I can say the malware doesn't REGENERATE itself everyday but the server is BEING ATTACKED every single day. If you block the attack source you can survive for now.


Same problem here on a fully updated Windows 2019 running Exchange 2019 CU10.

But since this malware is related to attacks originating from China, I tried to limit access to port 443 only to domestic IP addresses on my firewall and so far infections have not come back in the last 24 hours :)


Since we have no users based abroad it worked as a feasible temporary workaround for me.

Will wait for future MS updates...

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Blockquote
> Since we have no users based abroad it worked as a feasible temporary workaround for me
Blockquote


Until they figure out all they need is a VPN to make it look like they're accessing from your country...

1 Vote 1 ·
Cesar-5331 avatar image
0 Votes"
Cesar-5331 answered Cesar-5331 commented

Hi,

Last week, users started noticing 'draft' emails they never created containing attachments. I ran MSERT and it found the two infections below:

Backdoor:MSIL/Chopper.F!dha
Backdoor:ASP/WebShell.C!MTB

Rebooted the server and no more infections found. I ran MSERT a few times since then and no infections found.

Today, users reported 'draft' emails appearing again. Ran the MSERT and it found the same infections.

At this point, I am not sure what else to do. By the way, I have Malware bytes installed and it did not detect it at all.

Any help will be greatly appreciated.
Thank you

Server 2019 STD
Exchange 2019
Fully patched and updated

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We had the same issues. Running MSERT and cleanup the infected files but it kept regenerating every day (Once you are infected, Microsoft patches or MSERT does not fix this issue fully)

We end up building a new Exchange server and migrated all the mailboxes. It was a pain but resolved these issues fully.

0 Votes 0 ·

JSSCGY-9407,

Yes, once the server is compromised is difficult to be 100% sure malware has been removed. Unfortunately, I do not have an Exchange expert in house to build a new one.
I
Thank you

0 Votes 0 ·
08211143 avatar image
0 Votes"
08211143 answered James-2547 published

I just want to confirm that after almost a week no infections are detected by MSERT and Defender. So I can say the malware doesn't REGENERATE itself everyday but the server is BEING ATTACKED every single day. If you block the attack source you can survive for now.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How do you check your server for attacks?

0 Votes 0 ·
GregDimaandal-0638 avatar image
0 Votes"
GregDimaandal-0638 answered HieuCao-5321 commented

Exchange Server 2016 CU21 fully patch
-We got the same issue on our server when it was running CU14 and their on premise IT didn't notice or check until user complain about the Drafts email issue. When I check on the Admin account its been creating malicious draft email for a month already. Good think no one had opened the attachment.\

2 Days after upgrading to CU21 and installing the July Patch. No one has complain yet for the same issue. so I hope it fixes the issue.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you update information now? My server have the same trouble/problem like you. Thanks!

0 Votes 0 ·

Issue was fixed after the CU21 July update. Planning to install the CU22 uodate

1 Vote 1 ·

Thanks sir. I'll update CU22 for my Exchange Server! So many thanks!

0 Votes 0 ·