 Tom here for more and systems and I'm joined with Dave over at Huntress and we're talking actively exploited exchange. This is bad Yeah, yeah, it's definitely not good. It's suboptimal, right suboptimal exchange is a picky thing Which is what we were talking about before you've got a long history of managing exchange servers And what it really takes to run one and to go so further when it breaks It's the worst tool to break because it's can be so hard to fix and restoring from backups when more email has come in It's just that's just an unpleasant. This is easy to merge all the partial backups, right? No Yeah, yeah, totally easy, right? You get your old base and then you roll in your your weeklies your hourlies or whatever into your full And then and then what happened to all the mail that was coming in while the server was down, right? It's it's just simple It's real It's rebooted. It'll be done It's rebuilt but what this is about is there was an active exploit found a zero day essentially am I correct on this? It's yeah, absolutely in the wild We're going to be leaving a link to a reddit post for a lot of the details are but we wanted to get the word out because Sometimes people are like not aware that this is happening Until it's too late And you don't really want to have to restore from backups because you don't know when it happened to you If you found this on the server doing the forensics of when it got there is Not fun at all. So break down a little bit about how this exploit works Yeah, absolutely. So uh, microsoft has posted four cvs right now And they're all require a variety of different things to get them working But one of them um is a vulnerability that doesn't require you you have credentials really that it's just abusing some stuff over Http and if you do go look any of the posts, there's going to be like four the cvs Like usually the first one on the list because it's the the first numbered one is going to be the one that is getting abused So what happens is the attackers are able to abuse that they're able to send these arbitrary http requests to that And what we're seeing typically is they're creating web shells, right? So they're creating a they're dropping these randomly named looking files in that accessible directory It's kind of part of the the inet pub directory where all your files are hosted Um, and so yeah, they're creating web shells and then they use those web shells to do other nefarious things abuse the other cvs Or or create like an admin account or remove or add people to groups that kind of stuff Yeah, it becomes the end to your network where there's lateral movement I think you'd said so far from your insight. There's not anything Especially at the time of one is released. Maybe by the time you watch this video There's something out there, but none of the anti viruses or anything There's not even a good web filtering for it. No one's seen this coming. So it kind of passes through Hence the zero-day notice of it. So you're not safe. If you have this you're good No, if you've got the an exposed exchange server, you are at potential risk And you need to first patch and then look for some of these web shells that are exploited in there Yeah, absolutely. Getting patched is the key number one. Microsoft has released patches for all supported version of the exchange And even one that was technically not supported. They even released a patch for exchange 2010 Uh, which was end of life. I think back in like october Um, this was this was kind of one of those like a look. It's so bad. They're calling a defense in depth patch So they're even passing that exchange 2010 So definitely go find those and get updated and then start looking for those indicators or compromise which Are not that hard to find, right? There's there's a lot of good information out there on on what to look for Yeah, and kind of related to this, uh You know, just like i'll say an untested backup as wishful thinking Untested patches even though it said it patched. I see this is part of the reddit discussion And there's a look up to make sure the patch was applied not just the number was incremented So there's a little test that you have to do after the patch, right? Yeah, absolutely all that information is easily accessible But sure it's it's kind of like just with any kind of vulnerability you patch You want to make sure that it did actually apply? We did see a lot of reports of folks running the patch But like maybe not running it as an administrator context and then it not applying fully or correctly So parts of it worked and like parts of it didn't um, we've even seen scenarios Some scenarios where people applied the patch maybe not as admin or something and um, It did some things but like maybe it even broke others like we like owa or outlook web access Was having some trouble working and stuff if it didn't apply correctly So definitely verify once you get it patched to make sure that it is doing all the things it's supposed to Yeah, and uh kevin and it's linked in the reddit post and I'll make sure I link it into links on this video There's an nmap script you can run to verify if the patch actually took So even though the as I said the number may have incremented Oh, this is a test you can run against your exchange server to make sure that the vulnerability is actually being closed Yeah, that was a really cool script that kevin put out there We do it is linked in that reddit thread it it's actually really really handy You can even see you know because it's you know open source and all that fancy You can see all the different versions of exchange You'll see the version numbers that it's checking for and how it's doing that And it will report on those so definitely a good script to have to help you stuff out those ones that may still be vulnerable in your environment Yeah, and for those of you that don't have exchange and probably thinking how much exchange is out there How much exchange is out there? You know a lot more than I expected as we alluded to earlier I I spent a decent part of my career working on nothing but exchange and I really thought that um, you know All of the the hosted options right like the the 365s of the world and maybe even some of the g-suites and other ones I thought that it kind of replaced most of your on-prem mail servers But as we were talking there's a lot of industries or maybe jurisdictions or whatnot that are not able to utilize some of the cloud Hosts of stuff for a variety of reasons. So I found a far more than our environment than you know, that you know Our partner's environments than I expected to um and unfortunately a large number of those, you know We're capable to be vulnerable just from a patching standpoint. So um, yeah It was it was kind of surprising. So For those folks still out there keeping the exchange dream alive, you know, definitely Definitely check those those patch statuses. Yeah, I right away reached out I have a friend who's kind of an msp for government and law enforcement That's kind of their niche and uh, they run a ton of on-prem exchanges It's just common in that industry It's all those things that not everyone's aware of everyone's like, well, isn't everything in the cloud. No, it's not quite there yet Um, so this is this has been interesting. Uh, the nsa has tweeted this out I think I've seen I've seen it all over the place. It is pretty serious We're just trying to get the word out that if you uh, if you're watching this, uh, Hopefully it's after you patched your exchange server Maybe you pause at the beginning of the video and went out and patch and then verify patch plus verify Make sure the whole step anything else to add or that all we got will just link to the reddit post and yeah No, that's that's pretty much it the most the majority that I think all the patches were released yesterday So even if you're like, oh I patched last week or whatever. This is like really really zero day So the patches are as so if you haven't patched Um, I think I tweeted earlier. I said, hey, if you didn't lose any sleep last night patch and exchange servers You probably should have so I mean these are patches that were released yesterday So it is very new make sure you get those verify that they're all working and then definitely check for all those signs of the indicators Are compromised and if you do find any of those web shells that are on there You know get those off the machine and then start kind of expanding further your search to see how how deep that Rabbit hole goes to make sure that that the attackers weren't able to pivot and do other things Yeah, and that just for clarity the patches were released on march 2nd 2021 and today is march 3rd So yeah, they get get patched and if you're watching this right now get patched and if you're watching this a little while from now Hopefully you are completely We'll leave you that we'll leave you links down below and how to get this going and thanks