Updated: 3/11/2021 – referece to surgical restore process
There’s been a lively discussion with “breaking news” about the extent of the intrusion into networks and the solution to it over on our Ransomware and Security group. Now that it seems to have reached a stable information point, I thought I would summarize what you need to know.
- Exchange 2013 – newer. You are probably hacked. Nearly everyone is.
- Exchange 2010 – older. Probably not hacked.
This is because UTM features were the intrusion vector and 2010 didn’t have the technology yet.
- Apply patches to Exchange 2013 – newer. There are three of them.
- Apply patches to Exchange 2010. There is one of them.
Take note of how serious Microsoft recognizes this to be that they are issuing patches for long out of support versions of Exchange.
Applying patches only protects servers that haven’t already been hacked
It is very likely that your server has been hacked already. Find out by following the articles below.
- Read and follow this article from CISA to detect the intrusion
- Read and follow this artice from CISA to mitigate the intrusion
The code runs as System
This means that there is potential that everything system can reach is now vulnerable. System can reach everything – so everything. The question has arisen that if you only find a single .js script from the hack do you need to isolate and reload? And the answer is yes.
Scan to determine if the intrusion has been activated on your network
Check against a known compromised list of IP’s and domain names. Note that there are two tests one in which you browse from a device on your public IP and the other in which you enter your domain name. https://checkmyowa.unit221b.com/
File with the FBI
Help us respond to victims and hold those responsible accountable. https://www.fbi.gov/news/pressrel/press-releases/statement-on-microsoft-exchange-server-vulnerabilities
At very least perform an exchange migration to a new exchange server and change passwords throughout the domain. Don’t forget those local passwords on PC’s. Then, if the scan came back positive, consider the implications of intruded code with System level access to the rest of your network. You may need to rebuild everything.
Our own Dave Shackelford suggests a surgical restore process in this blog for single server deployments of Exchange
All we do is support IT professionals. Help for IT Pros, Super Secret News, Security community, MSP Legislation community, Kits, papers, MSP training and more. https://www.thirdtier.net