Proxy (authentication bypass) attacks on Microsoft Exchange Server have been rising since March 2021, when HAFNIUM—a state-sponsored threat group—exploited ProxyLogon vulnerability and compromised over 30,000 Exchange Server worldwide.
Microsoft responded by releasing emergency patches and Indicators of compromise (IOC) detection tools, such as Exchange On-Premises Mitigation Tool (EOMT) and Test-ProxyLogon, to investigate if Exchange Server has been compromised and mitigate the risks.
The EOMT.ps1 PowerShell script automatically runs the latest Microsoft Safety Scanner (MSERT) that finds and neutralizes web shells on the compromised Exchange Server.
However, according to Shodan, more than 9,000 Exchange Server are still vulnerable to ProxyLogon attacks (as of December 06, 2021).
Later, when Microsoft released patches for ProxyShell vulnerability in April and May 2021, newer threat groups started exploiting the vulnerabilities and compromising the Exchange Server to steal data and deploy ransomware for extortion, such as LockFile.
ProxyShell—a set of three vulnerabilities CVE-2021-34473, CVE-2021-34523, CVE-2021-31207—is considered more severe than ProxyLogon. The vulnerability lies in the Microsoft Client Access Service (CAS) that runs over IIS—usually exposed to the internet.
Thus, it makes it easier for attackers to discover an Exchange Server vulnerable to ProxyShell through auto-discover URL.
In this post, we have discussed tools and methods to investigate and identify a compromised Exchange Server. We have also shared solutions to remediate or fix a compromised Exchange Server and recover mailboxes.
Identifying Compromised Exchange Server
Below we have discussed steps to identify and detect if your Exchange Server is compromised by exploiting proxy vulnerabilities.
Detect ProxyLogon Exploitation
To detect if the Exchange Server is compromised due to ProxyLogon, use the Test-ProxyLogon PowerShell script by Microsoft—available on Microsoft’s GitHub page.
This lightweight PowerShell script runs silently and does not impact your Exchange Server operations. It scans and analyzes the Exchange and IIS logs to detect malicious activities and provides pieces of evidence of a compromised Exchange Server.
To run the script,
- Download it on your server and then open Command Prompt as administrator.
- Navigate to the location where the Test-ProxyLogon script is located using the ‘cd’ command and then execute the following command to run the script,
.\Test-ProxyLogon.ps1
If it does not find any evidence, it displays ‘Nothing suspicious detected’ as an output message.
However, if it detects any suspicious activity, investigate the logs. For detailed information, refer to this Microsoft blog.
Also, run the EOMT.ps1 PowerShell script to mitigate the ProxyLogon risks and then patch your Exchange Server by installing the latest Cumulative Update.
Detect ProxyShell Exploitation
To check if your Exchange Server is compromised by exploiting ProxyShell vulnerability, check the reverse proxy logs located in C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy.
Also, monitor the 443 incoming port for URI ‘/autodiscover/autodiscover.json’ and check if it contains the following strings with resulting status code 200, 301, or 302,
(“powershell”,”mapi/nspi”,”mapi/emsmdb”,”/EWS”,”X-Rps-CAT”) ‘
Also, check IIS logs for the following strings,
W3CIISLog | where csUriStem == “/autodiscover/autodiscover.json” | where csUriQuery has “/mapi/nspi/”
If you find these strings, it indicates a compromised Exchange Server.
I Have Been Compromised. What should I do?
Do not use a compromised Exchange Server in the production environment even if you have fixed it. You can’t be 100% sure that all web shells and backdoors installed by the attacker on your compromised Exchange Server are removed.
It is recommended to set up a new Exchange Server and restore the mailboxes using backup. If a backup isn’t available, you can use Exchange recovery software, such as Stellar Repair for Exchange, to extract mailboxes from the mailbox database on the compromised Exchange Server and export them directly to your new server.
How Do I Safeguard Exchange On-Premises Server from Malicious Attacks?
First, run the health checker script—another PowerShell-based tool by Microsoft—to check the server health, identify security and non-security issues and vulnerabilities. It generates a detailed HTML report, which you can open in any web browser to identify and fix the risks.
To use the HealthChecker.ps1 script, download it and execute the following command in an elevated Command Prompt window.
.\HealthChecker.ps1 –BuildHtmlServersReport
To protect Exchange Server against malicious attacks, immediately install the latest Cumulative Update released in September 2021 for Microsoft Exchange Server 2013, 2016, and 2019. Then apply hotfixes and Security Updates released in November 2021 (as of writing this post) for supported Cumulative Updates to stay protected.
You must apply at least May 2021 Security Updates to your vulnerable Exchange Server to protect against ProxyLogon and ProxyShell exploits.
You may refer to this guide to install Cumulative and Security Updates on Exchange Server.
Besides, monitor the 443 port. You may also temporarily block the port to prevent attackers from compromising your server until the server is updated.
However, this will prevent users from accessing the server in the current work-from-home scenario. Nevertheless, implementing a secure VPN for remote work can help in such a critical situation.
If you have any queries or need more help related to Exchange Server, leave a comment below.
