Exchange exploit restore

[howartp]

Hi

You may be aware of the international Exchange (OWA) exploits hitting hundreds of thousands of organisations this week.

Sadly I'm one of them.

I'm wondering about restoring Exchange to last Tuesday (before the exploit) then restoring the Mailbox Database from last night - will this work in Exchange and keep all emails up to the point last nights Mailbox Database backup or is there something else I need to be aware of?

Peter

[Gostev]

Hi, Peter. While I don't have much experience with Microsoft Exchange administration, overall your plan seems valid. Thanks!

[Regnor]

If you didn't install any CU/updates since your tuesday backup then it should work. To be in the safe side I would suggest to do the restore to a different location and the add your existing database/log disk to the restored VM; that way you could still switch back. And create a backup of your 'hacked' exchange.

There are still not many details to the attack, besides what happening on the exchange server. The attackers could already have done additional attacks in your nerwork; unfortunately I can tell you what to look for and what additional steps to take.
Check your servers/network for anomalies and change all your passwords(including user passwords).
Inform you organization as they could have exported all mail information and start targeting users.
And install the necessary updates after restoring your server.

If I was affected I would ask a 3rd party security advisor for help.

[Mildur]

Like rednor said, if there was a hit against you and the exchange security issue, then the hacker is already in your network. Not only on your exchange server.
Restoring exchange server will not bring you any luck, the damage is done

I would go to involve a 3rd party security advisor, if you don‘t have a internal department for that and are suspecting strange behaviour on your network/servers/firewall.

Microsoft has released a script to check for the logs, if a hacker has attacked the exchange security Bug:

Technical information:
https://www.microsoft.com/security/blog ... e-servers/

Script:
https://github.com/microsoft/CSS-Exchan ... n/Security

[howartp]

Unfortunately i've already run that Microsoft powershell and confirmed the exploit and presence of one of the known ASPX files.

I've got a call out to our Exchange support company but not heard anything yet; we typically do it all in house and just have them there as a backstop - I think this is a backstop situation!

I'll keep reading and looking.

[Otago]

We got this running that MS script, but no sign of any webshell activity, aspx files or non-standard web log user-agents. What other IoCs did you find?

[CVE-2021-26855] Suspicious activity found in Http Proxy log!

DateTime AnchorMailbox
-------- -------------
2021-03-03T08:10:37.453Z ServerInfo~a]@Exchange.company.local:444/autodiscover/autodiscover.xml?#

[alesovodvojce]

@Otago for same date we found exactly the same and we are treating it as "IoC", because this is IoC and it might be followed by other chain exploits yet unaware to the community. So "not-in-any-meaning-lower" incident response is running... would recommend the same to you and your environment

[Mildur]

Microsoft has updated their Microsoft Safety Scanner (MSERT) tool. It can detect deployed web shells from last weeks exchange server attacks.

https://docs.microsoft.com/en-us/window ... r-download

[Otago]

Thank you for the suggestions. Best of luck

[MPECSInc]

We got this running that MS script, but no sign of any webshell activity, aspx files or non-standard web log user-agents. What other IoCs did you find?

[CVE-2021-26855] Suspicious activity found in Http Proxy log!

DateTime AnchorMailbox
-------- -------------
2021-03-03T08:10:37.453Z ServerInfo~a]@Exchange.company.local:444/autodiscover/autodiscover.xml?#

This one is benign. Safe to ignore.

[MPECSInc]

Hi

You may be aware of the international Exchange (OWA) exploits hitting hundreds of thousands of organisations this week.

Sadly I'm one of them.

I'm wondering about restoring Exchange to last Tuesday (before the exploit) then restoring the Mailbox Database from last night - will this work in Exchange and keep all emails up to the point last nights Mailbox Database backup or is there something else I need to be aware of?

Peter

You do what's called a "Forklift Restore".

Restore your Exchange partition (if you have separate partitions for each).

This is the Exchange PowerShell that will allow Exchange to use the existing and up to date database/log files:

Code: Select all

# Exchange Forklift Restore

# Enable overwrite
Set-MailboxDatabase "Mailbox Database YOURS" –AllowFileRestore $true

# Dismount Database
Dismount-Database "Mailbox Database YOURS" -Confirm:$False

# Copy Files

# Mount the database
Mount-Database "Mailbox Database YOURS"

# Disable overwrite
Set-MailboxDatabase "Mailbox Database YOURS" –AllowFileRestore $False

NOTE: If everything is on one partition, not a good idea, then back up _before_ restoring, restore Exchange, then restore the folder(s) where the database(s) are. Don't forget to set and remove the above during the process.

[MPECSInc]

IMPORTANT: Disable HTTPS 443 port forwarding to Exchange prior to restoring.

Run the latest CU then run the security update for the latest CU.

IMPORTANT: Run _both_ from an elevated CMD!!!

.NET binaries may require an update prior. If so, keep in mind that .NET keeps compiling in the background after the update GUI so-called finishes. Watch Task Manager for any .NET compiling post update as Exchange will verify services and complain. For obvious reasons, don't KILL them let them finish.

[MPECSInc]

If .ASPX files are found in C:\inetpub\wwwroot\aspnet_client\system_web\*.aspx or C:\inetpub\wwwroot\aspnet_client\*.aspx then there will probably be data exfiltration mentions in the logs.

NOTE:
1: Do an immediate PowerShell search for new accounts in AD
2: Reset ALL domain admin credentials (my preference is to copy the primary that has full permissions and disable the existing then create new)
3: Reset all users
4: Verify no new user/admin accounts in local groups/users.
5: Verify C:\Users\%UserName%\*.exe or C:\Users\%UserName%\*\*.exe files (Trojans/ETC)

Group Policy based Software Restriction Policies can help here as far as blocking the usual suspects for malware/ransomware locations.

[ACulleton]

I was wondering if the CU23 update had been installed , would it still be possible to restore the Exchange and Domain controller ( small setup 1 DC no major AD changes ) to pre exploit attack and then install the CU23 and patch and then restore the current mailbox database on to this "Clean environment" ?

If you didn't install any CU/updates since your tuesday backup then it should work. To be in the safe side I would suggest to do the restore to a different location and the add your existing database/log disk to the restored VM; that way you could still switch back. And create a backup of your 'hacked' exchange.

There are still not many details to the attack, besides what happening on the exchange server. The attackers could already have done additional attacks in your nerwork; unfortunately I can tell you what to look for and what additional steps to take.
Check your servers/network for anomalies and change all your passwords(including user passwords).
Inform you organization as they could have exported all mail information and start targeting users.
And install the necessary updates after restoring your server.

If I was affected I would ask a 3rd party security advisor for help.

[MPECSInc]

I was wondering if the CU23 update had been installed , would it still be possible to restore the Exchange and Domain controller ( small setup 1 DC no major AD changes ) to pre exploit attack and then install the CU23 and patch and then restore the current mailbox database on to this "Clean environment" ?

@ACulleton You can step back then Forklift the most current database (take a backup prior to shutting down after disabling SMTP inbound at the edge).

Since the server is also a DC, there is a small risk of machine passwords being out of sync. You would need to reset them.

Code: Select all

# Option 1

Test-ComputerSecureChannel
# false = #! Broken

# TODO Fix it!
$cred = Get-Credential
Test-ComputerSecureChannel -Credential $cred -Repair
# True = #? Fixed
Test-ComputerSecureChannel
# True

# Option 2
# ? nltest /sc_reset
# ? netdom resetpwd
#>

# Option 3
# Sign in as local admin on Win10/Server
$Domain = "DOMAIN.Com"
$DomainAdmin = "MyAdmin"
Reset-ComputerMachinePassword -Credential "$($Domain)\$($DomainAdmin)"

[MPECSInc]

Helping on too many forums so curating a one-stop location with everything we are doing:

https://www.experts-exchange.com/articl ... tions.html