Exchange Server: Some Patched Systems Were Already Breached
Brandon Wales, acting executive director of the Cybersecurity and Infrastructure Security Agency (CISA) said that thousands of Exchange Servers that have been patched had already been breached. He urged companies to check their systems for indicators of compromise and malicious activity, noting that compromised systems could be used to introduce ransomware or to attack other organizations. Updates for the critical flaws were released on March 2, but many systems have not yet been patched. Researchers at F-Secure said that Exchange Servers are being attacked “faster than we can count.”
Make sure that you’ve checked for IOCs after you patch. The vulnerabilities area being actively exploited, and even if you applied the patches the day they were released, you still need to verify that your system is clean. Both Microsoft and CISA have published free tools to scan your system. The Microsoft EMOT tool has been updated to be easier and more effective than the prior version and will download and install the MS Security Scanner. https://github.com/microsoft/CSS-Exchange/tree/main/Security
Internet wide scans proceeded the patch. Assume breach if your Exchange server was exposed to the internet before you applied the patch.