I any alert comes up with a name like "Cobalt Strike" or "Powersploit" you have got a serious problem and your data is potentially being siphoned off at this point, encryption might be imminent. If uncertain if the server has been breached, we recommend following the GovCERT measures and restage the Exchange server.So carefully watch all servers that could directly or indirectly be reached through the Exchange Server. The attacker could just have moved laterally and cleaned up the initial entry point. Even if the Exchange Server seems to be clean at the time of your investigation, it does not mean you are not affected. Look for signs of attempted privilege escalation (Normally Exchange runs with a local user account).Scanning the system with the MSERT tool is not enough as it might miss webshells.In one case they compromised the whole domain!.In 2 cases the attackers were able to move laterally.In at least 4 cases the attackers deleted certain log files and/or deleted their initially used webshells.In 5 cases the attackers interacted with the webshell and conducted internal recon.In a number of cases the MSERT tool did not identify all webshells that were placed by the attackers.Out of the around 50 investigations over 70% did have webshells installed at some point.All of the described situations are real world examples we observed in our investigations. While the vulnerabilities and how attackers exploit them has been described in great length by many entities, we wanted to give our readers insights into what the checking procedures suggested by Microsoft and other fail to detect. In the last 2 weeks the InfoGuard CSIRT investigated over 50 potential Exchange Server breaches based on some of the 0-day vulnerabilities published by Microsoft on March 2nd 2021. The findings and actions described below are the results from over 50 Exchange breach investigations conducted by InfoGuard CSIRT and are unfortunately real. In this blog post, we want to give you an update on what critical footholds the testing methods proposed by Microsoft and others fail to detect. The highest warning level applies, the threat situation is more than critical. On March 2, Microsoft released updates for Exchange server vulnerabilities.
0 Comments
Leave a Reply. |