News > Secutec News

Information Microsoft Exchange

How to update your Microsoft Exchange Mail Server?

Our analysis reveals that about 650 companies haven’t updated their Microsoft Exchange mail server yet after the vulnerability in March 2021. This allows cybercriminals to break into their computer network. The reason we contact you is because your company is on this list. We therefore recommend you to perform the necessary patches as soon as possible so that your corporate network is no longer exposed to potential cyber attacks.

 

First things First

Please perform all of the following patches:

Release date Product Article Download
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 10 5004780 Security Update
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 21 5004779 Security Update
Jul 13, 2021 Microsoft Exchange Server 2013 Cumulative Update 23 5004778 Security Update
Jul 13, 2021 Microsoft Exchange Server 2016 Cumulative Update 20 5004779 Security Update
Jul 13, 2021 Microsoft Exchange Server 2019 Cumulative Update 9 5004780 Security Update

 

How to check if you were compromised

1) In the IIS logs from the OWA server you could make a search using the following rule:

https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_proxyshell.yml (sigma rules created and published by Florian Roth)
in high level, you should check for the string ‘/autodiscover.json’ and (‘autodiscover.json?@’ or ‘autodiscover.json%3f@’ or ‘%3f@foo.com’ or ‘Email=autodiscover/autodiscover.json’ or ‘json?@foo.com’ or ‘/powershell’ or ‘/mapi/nspi’ or ‘/EWS’ or ‘X-Rps-CAT’)

 

2) In the powershell execution logs you could search using the following rule:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/process_mailboxexport_share.yml (sigma rules created and published by Florian Roth)
in high level, the strings to search for are  ‘New-MailboxExport’ and  ‘ -Mailbox ‘  and ‘ -FilePath \\127.0.0.1\C$’

Contact us

Contacteer ons

  • This field is for validation purposes and should be left unchanged.

Ontvang alle techupdates in je mailbox!

  • This field is for validation purposes and should be left unchanged.