Information Microsoft Exchange
How to update your Microsoft Exchange Mail Server?
Our analysis reveals that about 650 companies haven’t updated their Microsoft Exchange mail server yet after the vulnerability in March 2021. This allows cybercriminals to break into their computer network. The reason we contact you is because your company is on this list. We therefore recommend you to perform the necessary patches as soon as possible so that your corporate network is no longer exposed to potential cyber attacks.
First things First
Please perform all of the following patches:
Release date | Product | Article | Download |
Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 10 | 5004780 | Security Update |
Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 21 | 5004779 | Security Update |
Jul 13, 2021 | Microsoft Exchange Server 2013 Cumulative Update 23 | 5004778 | Security Update |
Jul 13, 2021 | Microsoft Exchange Server 2016 Cumulative Update 20 | 5004779 | Security Update |
Jul 13, 2021 | Microsoft Exchange Server 2019 Cumulative Update 9 | 5004780 | Security Update |
How to check if you were compromised
1) In the IIS logs from the OWA server you could make a search using the following rule:
https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_exchange_proxyshell.yml (sigma rules created and published by Florian Roth)
in high level, you should check for the string ‘/autodiscover.json’ and (‘autodiscover.json?@’ or ‘autodiscover.json%3f@’ or ‘%3f@foo.com’ or ‘Email=autodiscover/autodiscover.json’ or ‘json?@foo.com’ or ‘/powershell’ or ‘/mapi/nspi’ or ‘/EWS’ or ‘X-Rps-CAT’)
2) In the powershell execution logs you could search using the following rule:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/process_mailboxexport_share.yml (sigma rules created and published by Florian Roth)
in high level, the strings to search for are ‘New-MailboxExport’ and ‘ -Mailbox ‘ and ‘ -FilePath \\127.0.0.1\C$’