Update Required Now

By this time, only Exchange Server administrators whose heads are thoroughly buried in deep sand have not heard about March’s Hafnium attacks. Hopefully, you followed the advice to apply Microsoft’s cumulative updates to close off the gaping holes in your Exchange 2010, 2013, 2016, and 2019 servers. And even better, you have installed the April 2021 updates issued for Exchange 2013, 2016, and 2019 (Exchange 2010 is now out of support, which is a great reason to upgrade these servers to supported software) to address four new remote code execution vulnerabilities. Two of the four problems occur pre-authentication, meaning that an attacker doesn’t have to authenticate before they can exploit the flaw. It’s therefore imperative that any Exchange Server which is exposed to the internet is patched immediately.

The FBI Steps In

For whatever reason, the Hafnium problem was ignored by many companies. At least, that’s the only interpretation which can be placed on the fact that three weeks after the event, 8% of servers exposed to the internet remained unpatched. Security companies who scan for problem servers reported finding thousands of vulnerable servers available for attackers to exploit.

Which is why the FBI might have felt it necessary to step in and seek court authorization to patch servers. The FBI practised ethical hacking to find servers where attackers had left web shells behind. Web shells allow remote control of servers and are often left behind after a server is compromised to allow the attacker to return and resume control at some point in the future. The problem is that web shells can remain in place even after servers are patched, which is one reason why some companies took servers offline for bare-metal builds from scratch to make sure that no possibility existed for lingering infection.

The FBI looked for and removed web shells, saying “Because the web shells the FBI removed today each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells. The FBI also said that they are attempting to contact the owners of computers where it removed web shells.

Want to remove these web shells yourself and look for other signs of compromise? Get the full details in this technical brief: Defend Exchange Server from HAFNIUM Attacks.

A Worldwide Problem

The FBI looked after U.S. based servers, but did nothing to help compromised Exchange servers located outside the U.S. On March 15, Check Point Software reported evidence of Exchange servers being attacked in many countries.

The FBI action should be a wake-up call for Exchange administrators. If the FBI was sufficiently alarmed by the consequences of the attack and felt it necessary to ask a court to allow them to remove web shells from computers, it should be enough for every Exchange administrator with on-premises servers to make sure that their servers are fully patched and attackers have left no web shells behind.

This YouTube video by security researcher John Hammond is helpful to understand how web shells work and how they are found on Exchange servers, and this Quest tech brief also contains useful information to help secure servers.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.


  1. Max

    The problem is, in many companies, the cyber security is not taken seriously. I work for a small company, i’m the only tech there, which is marvelous, i take care of the networks there, support people and fix problems when i have somes. The sad part is…. nobody just want to let me do my job. We had a cyber attack two weeks ago. ‘Cyber attack’ is a big word for what happened but we obviously have some vulnerabilities in the network. Two days after, a colleague asked me to plastify her customer’s card…….with the permission of my boss. Our network is not secure, and i’m asked to do office duties before and secure the network after i helped people to do their office’s jobs.

    OOOH, you think the I.T guy is watching videos on youtube and watch movies? Nooo my friends, he improve is knowledge and skill to better protect you.

    Let US do OUR job and do YOUR.

    1. Avatar photo
      Tony Redmond

      Yep. In many companies, IT is a one-person job – one that is very challenging.

Leave a Reply