Hacking group Hafnium managed to breach hundreds of thousands of Exchange installations worldwide. An update is currently available to close them security gaps, but it may be too late.
However, Microsoft has also provided some tools to check Exchange installations for signs of breach.
It seems that after her attack Solarwinds από Ρώσους, αποκαλύφθηκε η επόμενη μεγάλη καταστροφή. Οι hackers of the Chinese Hafnium team, exploited vulnerabilities in Exchange servers. The vulnerabilities were not closed with security updates until March 2, 2021.
The attackers 'goal was to gain control of the victims' emails and possibly access and infiltrate their network infrastructure through Active Directory licenses.
In one Publication security firm Rapid7 reports that there are at least 170.000 compromised Exchange servers. The article provides IP addresses that scan the Internetnetwork but also an analysis of how one might detect an infection. More information and analysis is provided at this Microsoft article, as well as in this US-CERT warning.
Microsoft has released a PowerShell script (Test-Hafnium) called Test-ProxyLogon.ps1 to help you identify vulnerabilities. The script and additional notes are on GitHub.
CERT Latvia also published one script on GitHub which can be used to check if an Exchange server contains a webshell.