Exchange Server – Chinese Hafnium Hack
If your organization runs Exchange Server with OWA, assume that it was compromised between 02-26-21 and 03-03-21. Exchange Server versions 2013, 2016, and 2019.
- Patch ASAP Multiple Security Updates Released for Exchange Server – updated March 8, 2021 – Microsoft Security Response Center
- Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\
- Scan Exchange Server logs with Microsoft’s IOC detection tool: Microsoft IOC Detection Tool for Exchange Server Vulnerabilities | CISA
- More technical information to determine if systems are compromised: Mitigate Microsoft Exchange Server Vulnerabilities | CISA
Unfortunately, none of these will remove the threat actors, web shells or backdoor trojans left behind. An estimated 60,000 organizations worldwide have been impacted.