Microsoft has launched a PowerShell script that admins can use to verify whether or not the lately disclosed ProxyLogon vulnerabilities have hacked a Microsoft Change server.
On March 2nd, Microsoft launched out-of-band emergency safety updates to repair 4 zero-day vulnerabilities actively utilized in attacks against Microsoft Exchange. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
When chained collectively, these vulnerabilities are often known as ‘ProxyLogon‘ and permit the menace actors to carry out distant code execution on publicly uncovered Microsoft Change servers using Outlook on the net (OWA).
As a part of these assaults, the menace actors put in net shells that allowed the attackers to regulate the server and entry the inner community.
These assaults have been attributed to a China state-sponsored hacking group often known as HAFNIUM.
Microsoft releases script to verify for ProxyLogin hacks
When disclosing these vulnerabilities, Microsoft supplied an inventory of instructions that Change directors might use to verify if a server was hacked.
These instructions would must be executed manually to verify for indicators of compromise (IOC) in Change HttpProxy logs, Change log recordsdata, and Home windows Software occasion logs.
Yesterday, Microsoft launched a PowerShell script on the Microsoft Change help engineer’s GitHub repository named Test-ProxyLogon.ps1 to automate these duties for the administrator.
Microsoft supplies the next directions on utilizing the script to verify a single Microsoft Change server or all servers in your group.
To verify all Change servers in your group and save the logs to the desktop, you’ll enter the next command from Change Administration Shell:
Get-ExchangeServer | .Take a look at-ProxyLogon.ps1 -OutPath $homedesktoplogs
Should you solely need to verify the native server and save logs, you’ll enter the next command:
.Take a look at-ProxyLogon.ps1 -OutPath $homedesktoplogs
Lastly, to solely check the native server and show the outcomes with out saving them, you’ll be able to run the next command:
.Take a look at-ProxyLogon.ps1
The US Cybersecurity and Infrastructure Safety Company (CISA) strongly recommends that every one organizations make the most of this script to verify if their servers have been compromised.
“CISA is conscious of widespread home and worldwide exploitation of those vulnerabilities and strongly recommends organizations run the Take a look at-ProxyLogon.ps1 script—as quickly as doable—to assist decide whether or not their methods are compromised,” CISA advises in a brand new advisory.
Moreover, because it has been reported that over 30,000 Exchange Servers have been compromised on this assault, all organizations should prioritize putting in the brand new Change safety updates and making certain they haven’t been focused in these assaults.