Updated: Mar 17, 2021
Over 30,000 organizations have been affected by the recent Microsoft Exchange Server vulnerability announced in early March.
Experts have learned that, after accessing the victim’s environment, criminals leave behind a web shell or back door, a hacking tool that can be used by the criminal to subsequently access the same environment. Critically, the criminal’s web shell remains even after the Exchange Server is patched with the latest Microsoft updates. Therefore, all Exchange servers should be inspected for signs of unauthorized access and any web shells must be removed.
Make sure your system administrator has done the following:
STEP ONE: Patch first!
All Exchange servers should be patched immediately to address the four identified vulnerabilities.
STEP TWO: Investigate whether your server has been compromised
Review Microsoft’s advice and download the Microsoft Safety Scanner (a Microsoft-developed scan tool) onto the email server, launch the program, agree to the license agreements, and click the “Full scan” option. This tool will automatically delete any detected files and not quarantine them. Once the scan is complete, the tool will report the deleted files. When done using the scanner, uninstall the tool simply by deleting the msert.exe executable. Importantly, this tool is only used to spot scans and should NOT be relied upon as an antivirus program.