Update Required Now
By this time, only Exchange Server administrators whose heads are thoroughly buried in deep sand have not heard about March’s Hafnium attacks. Hopefully, you followed the advice to apply Microsoft’s cumulative updates to close off the gaping holes in your Exchange 2010, 2013, 2016, and 2019 servers. And even better, you have installed the April 2021 updates issued for Exchange 2013, 2016, and 2019 (Exchange 2010 is now out of support, which is a great reason to upgrade these servers to supported software) to address four new remote code execution vulnerabilities. Two of the four problems occur pre-authentication, meaning that an attacker doesn’t have to authenticate before they can exploit the flaw. It’s therefore imperative that any Exchange Server which is exposed to the internet is patched immediately.
The FBI Steps In
For whatever reason, the Hafnium problem was ignored by many companies. At least, that’s the only interpretation which can be placed on the fact that three weeks after the event, 8% of servers exposed to the internet remained unpatched. Security companies who scan for problem servers reported finding thousands of vulnerable servers available for attackers to exploit.
Which is why the FBI might have felt it necessary to step in and seek court authorization to patch servers. The FBI practised ethical hacking to find servers where attackers had left web shells behind. Web shells allow remote control of servers and are often left behind after a server is compromised to allow the attacker to return and resume control at some point in the future. The problem is that web shells can remain in place even after servers are patched, which is one reason why some companies took servers offline for bare-metal builds from scratch to make sure that no possibility existed for lingering infection.
The FBI looked for and removed web shells, saying “Because the web shells the FBI removed today each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells. The FBI also said that they are attempting to contact the owners of computers where it removed web shells.
Want to remove these web shells yourself and look for other signs of compromise? Get the full details in this technical brief: Defend Exchange Server from HAFNIUM Attacks.
A Worldwide Problem
The FBI looked after U.S. based servers, but did nothing to help compromised Exchange servers located outside the U.S. On March 15, Check Point Software reported evidence of Exchange servers being attacked in many countries.
The FBI action should be a wake-up call for Exchange administrators. If the FBI was sufficiently alarmed by the consequences of the attack and felt it necessary to ask a court to allow them to remove web shells from computers, it should be enough for every Exchange administrator with on-premises servers to make sure that their servers are fully patched and attackers have left no web shells behind.
This YouTube video by security researcher John Hammond is helpful to understand how web shells work and how they are found on Exchange servers, and this Quest tech brief also contains useful information to help secure servers.