(Microsoft Exchange) Have You Been Compromised?
Over the past several days, Microsoft released updated scripts to check the security status of Exchange servers. In addition to checking for vulnerabilities associated with the recent 0-day exploits, these scripts scan Exchange log files looking for indicators of compromise (IOCs). If you manage a Microsoft Exchange server and haven’t already tested…. please do ASAP!
If you find signs of a compromised server, please take a conservative approach to remediation and investigation (“assumed guilty until proven innocent”). Many of the organizations affiliated with these attacks are believed to be state-sponsored and advanced at post-exploitation.
- Assume compromise of communication channels (email, internal chat, etc.). Do not discuss remediation or investigation within any channels that the attacker may be monitoring.
- Deploy patches to affected Exchange Server(s).
- Investigate indicators of compromise, paying special attention to signs of persistence.
- Remediate any identified exploitation, persistence, or additional compromise.