This is an active exploitation of customers on-prem Exchange servers and our research suggests that the spread is much larger than Microsoft had initially disclosed.
Our team has published a reddit thread and blog post to provide an overview of this threat and what we’re doing in response—check out the highlights below. Join us for a webinar Thursday, March 4th at 1:00pm EST to learn more about these vulnerabilities.
According to Microsoft’s initial blog, they detected multiple zero-day exploits being used to plunder on-premise versions of Microsoft Exchange Server in what they claim are “limited and targeted attacks.” From our data and analysis, we’ve checked over 2,000 Exchange servers and found ~400 vulnerable with an added ~100 potentially vulnerable.
Why is this significant?
We have seen indicators that this is a large-scale, spray-and-pray attack—not just “limited and targeted attacks” as Microsoft suggested. The targeted organizations range from small hotels, appliance manufacturing, mom-and-pop shops all the way up to city and county governments, healthcare providers, banks and financial institutions and residential electricity providers.
Among the vulnerable servers, we also found over 300+ webshells deployed—some targets may have more than one webshell, potentially indicating automated deployment or multiple uncoordinated actors. And from what we’ve seen, the majority of these endpoints do have antivirus or EDR solutions installed—indicating that preventive security measures have failed to catch this threat.
What should you do?
If you use on-prem Microsoft Exchange Servers, assume you’ve been hit. We recommend you patch immediately, externally validate the patch, and hunt for the presence of these webshells and other indicators of compromise (visit the blog for more technical details).
On your Exchange servers, examine these filesystem paths:
• C:\inetpub\wwwroot\aspnet_client\system_web\ (if system_web exists)
If you see unfamiliar .aspx files with random names, and their contents looks like log output with an ExternalUrl line indicating the use of “JScript” code, there is a strong possibility this host is compromised.