The script and additional notes can be found on GitHub. Microsoft has extended a long-standing PowerShell script known as Test-Hafnium, named Test-ProxyLogon.ps1, to detect the vulnerabilities now being exploited. And patching now won't help if the hafnium group has already installed a webshell as a backdoor. Security researchers from the discovering security vendor Volexity consider the whole thing a ticking time bomb. It's a terrible mess, because it likely have affected many small businesses where an Exchange server is bumming around (see also this Wired article). More information and analysis is provided in this Microsoft article, as well as this US-CERT warning. The article also gives IP addresses that scan the Internet – and there is an analysis of how one might detect an infection. and Germany with more than 10,000 instances. In this article, security vendor Rapid7 in diesem Artikel assumes there are 170,000 Exchange servers at risk, though there are probably "hot spots" in the U.S. Infected Exchange servers, Source: Rapid7 – Click to Zoom The BSI has started to inform identified affected people by mail. In the blog post Important Important notes from Microsoft regarding the Exchange server security update (March 2021), I had mentioned the German BSI's warning that thousands of German Exchange installations had been hacked. It is now clear that mass scans were conducted on the Internet and that the hafnium group was aggressively trying to infiltrate vulnerable Exchange instances. Just a few days ago, I assumed that only a few US institutions and companies were targeted. The attackers' goal was to gain control of the victims' email and possibly access and infiltrate their network infrastructure via Active Directory permissions. And the Volexity blog (their security researchers discovered the attack and vulnerabilities) has this post on the subject. I had reported about it in various blog posts (see end of article). The vulnerability was not closed by security updates until March 2, 2021. Hackers from the suspected state-affiliated Chinese hacking group Hafnium have been using vulnerabilities in on-premise Exchange servers to infiltrate for months. ![]() ![]() It appears that after the SolarWinds attack by suspected state-affiliated Russian attackers, the next security disaster has just been revealed. Hundreds of thousands of Exchange servers infiltrated
0 Comments
Leave a Reply. |