Uprooting Webshells Is Key in Dealing With Compromised Exchange Servers
- Microsoft has posted a detailed guide on how to respond to Exchange vulnerability exploitation.
- The actors are first planting a web shell by exploiting CVE-2021-26855, and from there, a host of possibilities opens.
- Uprooting these web shells and applying the March fixing patches is key in the clean-up and securing process.
Microsoft has released a detailed advisory to provide guidance for responders investigating and remediating on-premise exchange attacks. There, we see a more detailed explanation of how the attack works. According to the software firm, actors appear to start their exploitation process with CVE-2021-26855, which is an unauthenticated, remote code execution flaw. This is helping them establish persistent access to the compromised system via a web shell, typically something written in ASP, PHP, or JSP.
From there, the actors execute more commands and abuse various server functions, bringing CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065 into play as well. The flaws open up a host of potential for the malicious actors, ranging from the exfiltration of sensitive data to the deeper infiltration into the compromised network. Therefore, and since the planting of the web shell is the key step-stone for the actors, uprooting the malware is also crucial. Otherwise, the attackers would still have a way to return.
The best way to deal with this problem is to apply the March 2021 Exchange Server Security Update, which addresses all of the associated vulnerabilities. If that’s impossible, Microsoft suggests the following immediate temporary mitigations:
- Run EOMT.ps1 (Recommended)
- Run ExchangeMitigations.ps1
Another key step to take would be to isolate the Exchange server from the public internet, which can be done by blocking port 443 from receiving any inbound internet traffic or configure the firewall accordingly. Of course, this is again only a temporary solution, and moving to a supported Cumulative Update is still the only approach that is considered totally safe.
Microsoft has also set up a threat analytics page on the 365 Security Center to provide the latest indicators of compromise and help admins determine if any of their systems have been impacted by malicious activity. A quick and easy way to automate this process is by deploying Microsoft Defender for Endpoint, which features preventive blocks and also post-exploitation activity detection.
And finally, if you have been compromised, it is sometimes useful to consider moving your mail services to the cloud instead of going through the effort to restore the infected Exchange Server. Microsoft has set up a FastTrack service for this purpose, helping organizations migrate quickly and hassle-free.