When the Exchange Server vulnerabilities were first identified earlier this month Microsoft published mitigation techniques; fundamentally, recommending that organisations upgrade their on-premise Exchange environments to the latest supported version. For those organisations unable to quickly apply patches, they also published additional mitigation techniques.
But these recommendations were not remediation if your Exchange Server had already been compromised prior to deployment of the patch and our investigations are identifying, once the vulnerability had been exploited and a web shell put in place, attackers attempting to install additional malware; therefore, it is inevitable that more threat actors, including the dreaded ransomware attacker, will soon have access to these back doors that have been left opened despite the specific vulnerability remediation.
In case of compromise, you should ensure that all web shells are identified and removed, change all credentials and investigate for any additional malicious activity; through additional investigation, and deployment of our threat hunting solution, 3B Data Security can assist you to detect if any data may have been exfiltrated as a result of these vulnerabilities.
A web shell is a small piece of malicious code that provides an attacker with a convenient way - a back door - to launch attacks using a compromised web server.