Today I’m writing about an ongoing story about a very serious Zero Day vulnerability that is present in more or less all current versions of Microsoft’s Exchange Server products. At this time, a Chinese hacker group that goes by the name HAFNIUM is actively using this vulnerability to exploit Exchange Servers, steal data, and to open the systems for future access. Microsoft is highly recommending to patch all on-premise Exchange servers immediately!
What versions of Exchange Server are affected?
Affected are all Exchange Servers from 2010 through 2019. Exchange Online is not affected. Patches are available for all current patch levels, even for Exchange Server 2010:
- Exchange Server 2010 (Service Pack 3)
- Exchange Server 2013 (CU 23)
- Exchange Server 2016 (CU 18, CU 19)
- Exchange Server 2019 (CU 7, CU 8)
What to do? – Patch immediately!
Microsoft is stressing this: Patch immediately! As the aforementioned hacking group is actively exploiting this vulnerability as you read, you should take action right now: Grab the patch for your Exchange version directly from here:
Keep in mind, that you need to have the corresponding Cumulative Update package installed prior to installing this patch. The patch is not yet offered through Windows Update.
Known issues: To avoid any problems that can occur with UAC, make sure to run this patch from an elevated command prompt. Not doing this can potentially brick your OWA and ECP.
How do I know, if I’ve already been exploited?
Microsoft already compiled a great article on their findings on how to find out if you’ve been exploited. You can find it here. Following is a short excerpt on what to do. Keep in mind, that this information can become outdated quickly. So make sure to check the Microsoft article as well. Also: Please make sure to check ALL of the following steps, as the whole exploit is comprised of a few independent vulnerabilities.
- Check your HttpProxy logs. To do this quickly, you can use the following command:
Import-Csv -Path (Get-ChildItem -Recurse -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’).FullName | Where-Object { $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox - One part of the exploit is used for downloading your Offline Address Book. To find out if this happened, use the following command:
findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log” - Check the Windows Event Log for suspicious entries. Again, there is a command to do this quickly:
Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” } - Check if the ECP web app has been compromised. Again, here’s a handy command to do so:
Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
-> If any of those commands return anything else than nothing, you should take action and investigate immediately!
Summary
This exploit is quite serious. At least, that’s how Microsoft is surely treating it. While writing this article, I even received an E-Mail from the Microsoft Partner Network that advised me to take action immediately. It’s very unusual for them to use that channel for such things. So yes, the threat is real.
So the summary of this article is easy and short: Patch immediately!