Exchange Server – Chinese Hafnium Hack

If your organization runs Exchange Server with OWA, assume that it was compromised between 02-26-21 and 03-03-21. Exchange Server versions 2013, 2016, and 2019.

  1. Patch ASAP Multiple Security Updates Released for Exchange Server – updated March 8, 2021 – Microsoft Security Response Center
  2. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\
  3. Scan Exchange Server logs with Microsoft’s IOC detection tool: Microsoft IOC Detection Tool for Exchange Server Vulnerabilities | CISA
  4. More technical information to determine if systems are compromised: Mitigate Microsoft Exchange Server Vulnerabilities | CISA

Unfortunately, none of these will remove the threat actors, web shells or backdoor trojans left behind. An estimated 60,000 organizations worldwide have been impacted.