47 Thousand servers are still affected in the USA alone.

If you use Exchange servers you are most likely vulnerable to what can become the hack of the year, or even worse.

Malicious actors have gained access to over 30 thousand Exchange servers in the USA, hundreds of thousands around the world. Even updated and patched servers are vulnerable, and researchers have found anywhere between three and eight backdoors on affected systems, which will be an easy way in for the bad guys to access and exfiltrate sensitive data or deploy ransomware… or maybe even both.

Organizations who are running this service from Microsoft can enter their emails in this website https://checkmyowa.unit221b.com/ to see if their servers have already been affected.

The most immediate task right now is to encrypt any information on such servers to prevent the hacker from gaining access to sensitive information, and back up to reduce the effects of the anticipated and much dreaded wave of ransomware.

Further details will be delivered if you express your interest in receiving them. We are trying to do our duty as responsible citizens and alert those we can reach, please do the same if you can.

How do I know if my servers have been breached?

  • Microsoft has published multiple scripts for the detection of compromised Exchange servers. Script for detection of webshellsCSS-Exchange Github page has the Test-ProxyLogon.ps1 script that automates the commands found in the earlier Hafnium blog post. The Microsoft Safety Scanner and Microsoft Defender received an update to detect and remove the malware that has been distributed using these vulnerabilities.
  • The Dutch Nationaal Cyber Security Centrum released the news that, according to their own research, 40% of the Dutch Microsoft Exchange Servers remain vulnerable. See the news itemfor more information.
  • Volexityand FireEye report that these vulnerabilities have been abused since early January. With this in mind, we want to stress the importance for organisations to, after patching, perform an investigation to determine if these vulnerabilities have been exploited on their systems.

General recommendations

We recommend the following security precautions for a better protection of your Exchange Server infrastructure:

  • Do not expose Exchange directly to the Internet. Either have a WAF in front of it and/or use an SMTP filtering proxy in front of Exchange servers
  • Have an emergency patch process that allows you patching your infrastructure, especially elements that are directly exposed to the Internet, within a very short timeframe (hours).
  • Closely monitor all Exchange Server logfiles, collect them in a SIEM and look for unusual patterns
  • Always deploy a 2nd factor for the authentication of users
  • Use a dedicated management network for accessing Exchange Server with high privileges
  • Log all AD logs centrally and analyse them on a regular base
  • Increase the visibility on the endpoints by using an EDR Tool (Endpoint Detection and Response)