- Kevin
- March 8, 2021
- 6:19 pm
(Microsoft Exchange) Have You Been Compromised?
Over the past several days, Microsoft released updated scripts to check the security status of Exchange servers. In addition to checking for vulnerabilities associated with the recent 0-day exploits, these scripts scan Exchange log files looking for indicators of compromise (IOCs). If you manage a Microsoft Exchange server and haven’t already tested…. please do ASAP!
If you find signs of a compromised server, please take a conservative approach to remediation and investigation (“assumed guilty until proven innocent”). Many of the organizations affiliated with these attacks are believed to be state-sponsored and advanced at post-exploitation.
Recommended Response (per Microsoft) to Compromise
- Assume compromise of communication channels (email, internal chat, etc.). Do not discuss remediation or investigation within any channels that the attacker may be monitoring.
- Deploy patches to affected Exchange Server(s).
- Investigate indicators of compromise, paying special attention to signs of persistence.
- Remediate any identified exploitation, persistence, or additional compromise.
AlphaONE specializes in SMB companies who may not have IT or Security staff on hand to address security events like this. If you require any assistance with scanning, testing, remediation, or investigation… give us a call: 833-ALPHA-ONE or 334-245-3125.