Urgent Security Event For On-Site Exchange Server – HAFNIUM Attack

The Verteks cyber security team was notified by Microsoft about undisclosed Microsoft Exchange on-site servers being exploited by zero-day vulnerabilities.

This is an active exploitation and we have personally identified servers that have already been compromised, so we assess that this is a wide-spread attack that requires immediate attention.

This only affects on-site Exchange Server, so if you have migrated to Office 365 and decommissioned your Exchange Server you are not at risk from this specific attack.

According to Microsoft’s initial blog, they detected multiple zero-day exploits being used to attack on-premise versions of Microsoft Exchange Server in what they claim are “limited and targeted attacks.” From our own analysis of clients we've looked at today, we assess that this could spread to all Exchange servers within a very short period of time, perhaps just days.

This appears to be a large-scale, spray-and-pray attack—not just "limited and targeted attacks" as Microsoft suggested. Businesses and government agencies of any and all sizes will be affected - if they are running Exchange onsite.

Link to Microsoft's Blog about HAFNIUM
Link to Microsoft's Emergency Patches for HAFNIUM

On a vulnerable server that we found there were multiple webshells deployed—and we also noticed that the infected systems were running updated antivirus and were behind well configured firewalls, indicating that preventive security measures have failed to catch this threat.

If you use Microsoft Exchange Servers onsite, you should assume you’ve already been hit. We recommend you patch immediately, externally validate the patch, and immediately search for the presence of these webshells and other indicators of compromise.

On your Exchange servers, examine these filesystem paths:

C:\inetpub\wwwroot\aspnet_client\
C:\inetpub\wwwroot\aspnet_client\system_web\ (if system_web exists)

If you see unfamiliar .aspx files with random names, and their contents looks like log output with an ExternalUrl line indicating the use of “JScript” code, there is a strong possibility this host is compromised.

Verteks Consulting is standing by to help as needed. We are committed to assisting our clients and the broader IT community that are being exploited and we are happy to assist you in your efforts to patch your systems and also complete a top-down review of your systems to look for any Indicators Of Compromise as a result of this serious compromise.

Please call or email us if we can help in any way.

Call: 877-VERTEKS
Email: help@verteks.com