Η hacking ομάδα Hafnium κατάφερε να παραβιάσει εκατοντάδες χιλιάδες εγκαταστάσεις Exchange παγκοσμίως. Αυτή τη στιγμή διατίθεται μια ενημέρωση για να κλείσετε τα security gaps, but it may be too late.
However, Microsoft has also provided some tools to check Exchange installations for signs of breach.
It seems that after the attack of SolarWinds by the Russians, the next great catastrophe was revealed. The hackers of the Chinese group Hafnium, used vulnerabilities in Exchange servers. The vulnerabilities did not close with the security updates until March 2, 2021.
The attackers' goal was to gain control of the victims' emails and potentially access and penetrate their network infrastructure through their permissions. Active Directory.
In one Publication security firm Rapid7 reports that there are at least 170.000 compromised Exchange servers. The article provides IP addresses that scan the Internet as well as an analysis of how one can detect an infection. More information and analysis are provided in this Microsoft article, as well as in this US-CERT warning.
Microsoft has released a PowerShell script (Test-Hafnium) called Test-ProxyLogon.ps1 to help you identify vulnerabilities. The script and additional notes are on GitHub.
CERT Latvia also published one script on GitHub which can be used to check if an Exchange server contains a webshell.