Microsoft updated its Microsoft Safety Scanner (MSERT) tool to include capabilities to detect web shells used by hackers in the recent attacks on Exchange Servers.
Earlier this month, Microsoft released emergency security updates to address four zero-day issues tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in all supported Microsoft Exchange versions.
Based on observed victimology, tactics and procedures, Microsoft Threat Intelligence Center (MSTIC) links these attacks on Exchange servers to a China-backed APT group it calls HAFNIUM. The group was involved in cyber espionage against US organizations in multiple sectors, including law firms and infectious disease researchers.
In the attacks, hackers hijack the victim’s email account and install additional malware.
Microsoft has already updated signatures for Microsoft Defender to detect web shells that exploited the above zero-day flaws.
IN the most recent move, Microsoft has also updated the Microsoft Support Emergency Response Tool (MSERT). Now it can detect the web shells that has been used in the attacks against the Exchange servers and remove them.
The MSERT tool is a self-contained executable file. Upon launch, it starts scanning a computer looking for malware. It can also automatically remove the detected malware.
MSERT can do a full scan or perform a “customized scan” of the following paths where malicious files have previously been found:
- %IIS installation path%\aspnet_client\*
- %IIS installation path%\aspnet_client\system_web\*
- %Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
- Configured temporary ASP.NET files path
- %Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*
Microsoft notes that these remediation steps are effective against known attack patterns but not secure from all possible exploitation of the above vulnerabilities.
For customers who can’t quickly apply security updates, Microsoft provided alternative mitigation procedures.
“Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services,” Microsoft team wrote in a post.