Microsoft Exchange Server Vulnerability Checklist
The recent server vulnerabilities and attacks on Exchange are likely to be one of the most significant cyber events in recent years with 30,000+ U.S. organizations reportedly compromised.
Patching Exchange Servers and removing any known indicators of compromise was the painless part. A good attacker would have used the initial access to the Exchange Server to move laterally to another system on the network to evade remediation efforts and gain more persistent access to the network.
No matter how fast the patch was applied, there is a very high likelihood of compromise. The question is, do you have the people, processes, and technology to detect it? Are you able to detect potential after-effects with your current security technology? Implementing comprehensive endpoint monitoring and detection tools that include Security Operations Center team oversight is vital to avoiding compromise.
The investigation into an event like this should be done in two stages. Use ProArch’s checklist below compiled by our Security experts to help mitigate the risk of further malicious activity going undetected.
1. Patch the Exchange Server if not already completed
2. Run the Microsoft Safety Scanner to find known signs of compromise and to remove any detected web shells
3. Perform additional investigation of the Exchange Server to determine the presence of other indicators of compromise
a. Check scheduled tasks
b. Utilize available tools such as Sysinternals autoruns and Sysinternals process explorer to investigate the server further
c. Review system event logs and security logs for signs of compromising on the Exchange Server
d. Investigate for signs of LSASS process memory dump (credential-stealing) in C:\windows\temp
e. Investigate for signs of 7-Zip installation, 7-zip has been seen by HAFNIUM to ex-filtrate email data
f. Investigate for signs of PST / Email data exports. HAFNIUM has been seen to export email data to C:\ProgramData\PST
g. Review any newly created or changed files on the server and pay special attention to .aspx files
h. Review endpoint detection and response solutions and other security solutions in the environment for alerts and logs
i. Review available network logs and devices for abnormal traffic patterns that can signify data ex-filtration
The second stage of managing this attack is preparing for the next one. If an attacker had successfully accessed the environment, there would be a large amount of risk even after the servers have been patched and the detected indicators of compromise have been removed. If you avoided compromise, do you have the ability to guarantee something more significant isn’t lurking? Be sure you are prepared for the unknown with the people, technology, and processes that can detect and respond to security incidents.
1. Review all users and permissions in the environment. Look for any newly created accounts or assigned permissions.
2. Check that backups are secured against tampering/ransomware.
3. Ensure recent backups have been taken of all systems and that backups are tested.
4. Exchange email and any other remote system access should be protected by multi-factor authentication.
5. Prepare for further exploitation. Get the people, processes, and technology in place to detect and respond to security threats.
Large-scale security events are becoming more common. The best way to prepare for security incidents like this is to focus on the future and build a comprehensive endpoint protection program that includes a Security Operations Center team monitoring and responding to malicious activity 24x7.
Watch ProArch Security Team Lead Caleb Freitas discuss below how businesses can protect themselves from security threats moving forward.
If you’re concerned about your organization’s security posture in the wake of the Exchange vulnerabilities, contact us.