If you are operating on-premises Exchange Servers, then you will be aware of the recent HAFNUIM campaign to exploit vulnerabilities in internet-facing servers. Microsoft is strongly urging customers to immediately update their on-premises Exchange Server systems.<\/p>\n\n\n\n
Excerpt from \u2018HAFNIUM targeting Exchange Servers with 0-day exploits<\/a>\u2019<\/p>\n\n\n\n Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts and allowed the installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.<\/em><\/p>\n\n\n\n The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed by the Microsoft Security Response Center (MSRC) release \u2013 Multiple Security Updates Released for Exchange Server.<\/em><\/p>\n\n\n\n This article outlines the steps to detect and mitigate the exploit, then patch the servers using the latest Cumulative Updates (CU).<\/p>\n\n\n\n The scripts and activities outlined in this article are only for the following supported versions of Exchange Server:<\/p>\n\n\n\n Note: Microsoft did release a Defense in Depth Update for Exchange Server 2010 which can be found here<\/a>. Many of the principles and best practices in this document can be applied when updating Exchange Server 2010<\/p>\n\n\n\n There is an old military adage which states, \u201cProper Preparation Prevents Poor Performance\u201d. Preparation is essential to minimize risk. It is advisable you review and\/ or enact each preparation or pre-check item before executing the mitigation and upgrade activities.<\/p>\n\n\n\n Refer to the \u2018Exchange Server supportability matrix<\/a>\u2019 to locate information about the level of support available for any configuration or required component for supported versions of Microsoft Exchange Server.<\/p>\n\n\n\n Key components which should be closely investigated are:<\/p>\n\n\n\n Important!<\/strong> Many clients may be running outdated Exchange Server Cumulative Updates and .NET Framework Versions. Microsoft displays the following disclaimer regarding the upgrade from outdated CUs that are using older .NET versions. If you’re upgrading Exchange Server from an unsupported CU to the current CU and no intermediate CUs are available, you should first upgrade to the latest version of .NET which is supported by your version of Exchange Server and then immediately upgrade to the current CU. This method doesn’t replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft makes no claim an upgrade failure will not occur using this method, which may result in the need to contact Microsoft Support Services.<\/em><\/p>\n\n\n\n Please ensure you have a recently tested, reliable and working full backup of both Active Directory and the Exchange Server(s).<\/p>\n\n\n\n Review Microsoft\u2019s documented recommendations and instructions for upgrading Exchange Server to the latest CU in the article, \u2018Upgrade Exchange to the latest Cumulative Update<\/a>\u2019.<\/p>\n\n\n\n Key sections and instructions which should be closely investigated include:<\/p>\n\n\n\n Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted on the server(s) being updated.<\/p>\n\n\n\n To verify the policy settings, run the Get-ExecutionPolicy<\/em> cmdlet from PowerShell on the machine being upgraded.<\/p>\n\n\n\n If the server is subject to a GPO which controls the Windows PowerShell Script Execution Policy, refer to the Microsoft article \u2018ExecutionPolicy GPO is defined<\/a>\u2018 to temporarily remove any definition of MachinePolicy or UserPolicy in the ExecutionPolicy GPO.<\/p>\n\n\n\n Temporarily disable any anti-virus software prior to the update process.<\/p>\n\n\n\n Check Windows Event Logs for any Warning or Errors which may need to be addressed prior to conducting any change activities on the server(s).<\/p>\n\n\n\n Check Exchange-specific crimson channel event logs located under Applications and Services for any Warning or Errors that may need to be addressed prior to conducting any change activities on the server(s).<\/p>\n\n\n\n Ensure Active Directory is healthy before conducting any change activities. This may include:<\/p>\n\n\n\n Verify whether you have spare hardware (or enough resources in a Virtual environment) for the RecoverServer process in the event the installation will not complete successfully, and the server is in a state which cannot be reverted.<\/p>\n\n\n\n Download the following scripts and software which will either be executed against or installed on the Exchange server(s).<\/p>\n\n\n\n Install the updates in the following order based on server role.<\/p>\n\n\n\n The following procedure is represented more as a checklist of activities to be completed and does not provide step-by-step instructions for each activity being performed. Please refer to the Microsoft-specific documentation for step-by-step instructions for execution.<\/p>\n\n\n\n Important!<\/strong> Please be sure to execute all scripts and apply all updates from an elevated<\/u><\/strong> command prompt (Start a Command Prompt as an Administrator<\/a>). Although the scripts and updates may appear to run successfully when executing from a non-elevated command prompt, some services may not start, or certain settings may not be applied properly.<\/p>\n\n\n\n Run the HealthChecker Script to get an inventory of the update-level status of the on-premises Exchange server(s)<\/p>\n\n\n\n Run the One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT.ps1) to detect, protect and mitigate CVE-2021-26855<\/p>\n\n\n\n Run Test-ProxyLogon.ps1 script to check for HAFNIUM indicators of compromise (IOCs) to address performance and memory concerns.<\/p>\n\n\n\n The following procedure is represented more as a checklist of activities to be completed and does not provide step-by-step instructions for each activity being performed. Please refer to the Microsoft-specific documentation for step-by-step instructions for execution.<\/p>\n\n\n\n Important!<\/strong> Please be sure to execute all scripts and apply all updates from an elevated<\/u><\/strong> command prompt (Start a Command Prompt as an Administrator<\/a>). Although the scripts and updates may appear to run successfully when executing from a non-elevated command prompt, some services may not start, or certain settings may not be applied properly.<\/p>\n\n\n\n Although the CU may not require a Schema update, it is best practice to execute the preparation commands to confirm no errors and ensure a proper and consistent configuration. Refer to the Microsoft article \u2018Prepare Active Directory and domains for Exchange Server<\/a>\u2019 for the proper procedure.<\/p>\n\n\n\n Execute each preparation command individually. Check AD Replication after each switch is run.<\/p>\n\n\n\n If the Exchange Server is a member of a DAG, you should first put the DAG member in maintenance mode.<\/p>\n\n\n\n Refer to the Microsoft article \u2018Performing maintenance on DAG members<\/a>\u2019 for the proper procedure.<\/p>\n\n\n\n Reboot server prior to installing software updates to ensure no reboots are pending or any prior updates applied.<\/p>\n\n\n\n Install the correct new .Net version.<\/p>\n\n\n\n Note: Keep in mind this step can take up to 40 minutes or longer, therefore do not stop the installation and keep waiting until it ends successfully.<\/p>\n\n\n\n Important!<\/strong> After the .Net installation completes, reboot<\/u><\/strong> the server.<\/p>\n\n\n\n Install the Cumulative Update for Exchange.<\/p>\n\n\n\n Important! After the CU installation completes, reboot<\/u><\/strong> the server.<\/p>\n\n\n\n Perform post-install integrity checking and updates, which includes:<\/p>\n\n\n\n If you run into issues after installation, please see \u2018Repair failed installations of Exchange Cumulative and Security updates<\/a>\u2019 for resolution instructions.<\/p>\n\n\n\n If the Exchange Server is a member of a DAG and was placed in maintenance mode, take the DAG member out of maintenance mode.<\/p>\n\n\n\n Refer to the Microsoft article \u2018Performing maintenance on DAG members<\/a>\u2019 for the proper procedure.<\/p>\n\n\n\n Verify full functionality of server and any dependency applications connecting to Exchange (Backup, Archiving, Monitoring, Mail Relay, etc.)<\/p>\n\n\n\n Initiate a full backup of both the Active Directory and the Exchange Server(s).<\/p>\n\n\n\n HAFNIUM targeting Exchange Servers with 0-day exploits<\/a><\/p>\n\n\n\n Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities<\/a><\/p>\n\n\n\n One-Click Microsoft Exchange On-Premises Mitigation Tool \u2013 March 16, 2021<\/a><\/p>\n\n\n\n\n
PREPARATION AND PRE-CHECKS<\/span><\/h3>\n\n\n\n
1. EXCHANGE SUPPORTABILITY MATRIX<\/span><\/h3>\n\n\n\n
\n
1.1 BACKUP<\/span><\/h3>\n\n\n\n
1.2 MICROSOFT ARTICLE \u2013 \u2018UPGRADE EXCHANGE TO THE LATEST CUMULATIVE UPDATE\u2019<\/span><\/h3>\n\n\n\n
\n
\n
1.3 WINDOWS POWERSHELL SCRIPT EXECUTION POLICY<\/span><\/h3>\n\n\n\n
1.4 DISABLE ANTIVIRUS SOFTWARE<\/span><\/h3>\n\n\n\n
1.5 WINDOWS EVENT LOGS<\/span><\/h3>\n\n\n\n
1.6 ACTIVE DIRECTORY HEALTH<\/span><\/h3>\n\n\n\n
\n
\n
\n
1.7 SPARE HARDWARE<\/span><\/h3>\n\n\n\n
2. DOWNLOADS<\/span><\/h3>\n\n\n\n
\n
\n
\n
\n
3. UPGRADE ORDER OF PRECENDENCE<\/span><\/h3>\n\n\n\n
\n
\n
\n
4. DETECTION AND REMEDIATION PROCEDURE<\/span><\/h3>\n\n\n\n
4.1 EXECUTE HEALTHCHECKER SCRIPT<\/span><\/h3>\n\n\n\n
4.2 ONE-CLICK MICROSOFT EXCHANGE ON-PREMISES MITIGATION TOOL<\/span><\/h3>\n\n\n\n
4.3 TEST-PROXYLOGON SCRIPT<\/span><\/h3>\n\n\n\n
5. UPGRADE PROCEDURE<\/span><\/h3>\n\n\n\n
5.1 PREPARE ACTIVE DIRECTORY AND DOMAINS FOR EXCHANGE SERVER<\/span><\/h3>\n\n\n\n
\n
5.2 DAG SERVER \u2013 START MAINTENANCE MODE<\/span><\/h3>\n\n\n\n
5.3 REBOOT SERVER<\/span><\/h3>\n\n\n\n
5.4 .NET INSTALL<\/span><\/h3>\n\n\n\n
5.5 CU INSTALL<\/span><\/h3>\n\n\n\n
\n
5.6 DAG SERVER \u2013 STOP MAINTENANCE MODE<\/span><\/h3>\n\n\n\n
5.7 VERIFY<\/span><\/h3>\n\n\n\n
5.8 BACKUP<\/span><\/h3>\n\n\n\n
REFERENCES<\/span><\/h3>\n\n\n\n