Microsoft HAFNIUM Update: Exchange Server Patches

At the start of the year, Microsoft detected four concerning zero-day exploits that have since been widely leveraged to attack on-premises versions of Microsoft Exchange Server.

Thankfully, Exchange Online users are not affected by these specific vulnerabilities, but if your organization uses on-premises Exchange, any account tied to that server may be at risk and any connected networks should be analyzed for further indications of compromise (IOC). As our previous OTO article shared, these exploits have given threat actors access to email accounts and the ability to install additional malware for persistence. It is recommended that all Exchange Servers be patched immediately by installing the latest updates outlined below.

  • Exchange Server 2010 – be sure to install the update, KB5000978, that was released on March 2, 2021.
  • Exchange Server 2013, 2016, and 2019 – install the update, KB5000871, that was released on March 2, 2021. While this can stop further attacks, the updates will not evict a threat actor that has already compromised the system. So additionally, it is recommended to externally validate the patch and investigate if any compromise has occurred.

Microsoft Safety Scanner has also been updated to be able to scan Microsoft Exchange Servers in order to find and remove web shells and malware. The tool can be found https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download and is recommended to be run immediately.

To determine the exploit status of an Exchange server, it is recommended to scan the logs using a PowerShell script from the Exchange Management shell, Test-ProxyLogon.ps1, which checks the Exchange server and saves the report. The GitHub Repository containing the script and instructions on how to use it can be found here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.

If you have already been exploited, every second matters in ensuring your data is secured and that any existing unauthorized access is eradicated. Schneider Downs has a team of Digital Forensics and Incident Response (DFIR) experts available to help 24x7x365 at 1-800-993-8937.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Guidance for NERC-CIP-013-01 Compliance
Ransomware Groups Attack Washington DC Police and QNAP Clients
Controlled Unclassified Information: Labeling Requirements for CMMC and NIST 800-171
What is a SOC for Cybersecurity report and who needs one?
FTC Issues COVID-19 Vaccine Scam Alert
Was My Data Breached or Scraped?
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]
p:571.380.9003