All you wanted to know about the Microsoft Exchange Breach Infecting 30-60,000 Enterprises

Windows Defender has also been updated to detect the web shells. The Microsoft Safety Scanner, (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download), also called MSERT, can be used to detect and will automatically remove the implanted web shells unless you start it with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.

Lee Neely

Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.

Brian Honan

Examine the mitigations carefully before deciding to implement. They include disabling services you may be using. Even if you decide to implement them, you still need to apply the security patches for a complete fix as well as check your services for IOC’s to make sure you’re not already compromised.

Lee Neely

The Brian Krebs article includes an excellent timeline that helps explain how these bugs went from to a bug disclosure with updates on patch Tuesday scenario to an act immediately situation. Make sure that you examine the mitigation and remediation options from Microsoft, do not leave your exchange services unchecked, act on the assumption that many threat actors are looking for an opportunistic exploit. Don’t be exploit 60,001.

Lee Neely

This is third-party compromise. Affiliated airlines, (e.g., Star Alliance) share data. One of the Airlines is also a SITA customer, with associated data sharing, which allowed access to not only their customers’ data but also passenger data for other member airlines. When sharing data, make sure only the minimum necessary to operate is shared, that protection requirements are clearly stated, then monitor for misuse. In this case the data is limited to member name, status and membership number; airlines are watching for misuse of that information.

Lee Neely

Frequent flyers should take this occasion to review the often extensive personal information that airlines and travel agencies hold on them and change their passwords. Few airlines or travel agencies offer strong authentication.

William Hugh Murray

This NewsBites item illustrates both the complexity and time varying nature of supply chain risk. If company X used Bank Y that had a file transfer capability that was provided by service Z that used the Accellion File Transfer appliance, December 2020 (when Accellion acknowledged it was the cause of the first reported breach) should have been an immediate severe risk flag – if Company X even know Bank Y used Service Z that used Accellion’s vulnerable product. But the risk actually started increasing in 2018 when Accellion started telling customers it would be ending support for the product in April 2021 and ending support for the appliance OS in November 2020 – all reasons for Service Z to move away from the product and for customers of Service Z to move away from Service Z if it did not – if this level of supply chain risk monitoring was being done, which some are actually doing today.

John Pescatore

If you have the Accellion FTA appliance, you are hopefully finishing (or have finished) your migration to an alternative solution. If you are a customer of a company still using the FTA appliance, evaluate the risk of data exposed using that platform, versus selecting a new supplier using supported/secure services. Make sure your vendor/supply chain monitoring includes watching for and responding to these sorts of risk.

Lee Neely

Treat this as a zero day. The coding error, when exploited, allows the creation of new admin users and login as existing ones. A firewall rule was distributed to the paid Wordfence users on March 8th; free versions will not get that rule until April 7th. If you’re using the paid version of Elementor, and you need The Plus Addons, an alternative to removing the plugins may be to switch to the free “Elementor Lite.”

Lee Neely

QNAP NAS devices have been a target since September 2019. Limiting access to them and keeping the firmware and apps updated needs to be SOP. If you own a QNAP NAS device, change the passwords for all accounts, remove unknown user accounts, make sure both the firmware and applications are updated, remove unused/unknown applications, limit access to the device to authorized hosts only via ACL or firewall rules, and install the QNAP MalwareRemover app.

Lee Neely

NAS devices should not be attached to the public networks. They should be physically isolated, not merely firewalled.

William Hugh Murray

These attacks were possible because working credentials were obtained for the targeted servers. MFA should be SOP when protecting access to sensitive data, such as medical records. Also make sure systems are accessible only from known clients, and that patient/customer facing systems can only be used to access the minimum amount of data, and are monitored for misuse. Make sure these systems also implement MFA.

Lee Neely