Re: Exchange /OWA vulnerability actively exploited


Royce Williams
 

And here is an official Microsoft nmap script to help detect vulnerable instances:


-- 
Royce Williams
Tech Solvency


On Fri, Mar 5, 2021 at 4:01 PM Royce Williams <royce@...> wrote:
Microsoft also added some mitigations here:

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

-- 
Royce Williams
Tech Solvency


On Fri, Mar 5, 2021 at 3:03 PM Royce Williams <royce@...> wrote:
An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):

https://www.techsolvency.com/alaskan-networks/

But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D


-- 
Royce Williams
Tech Solvency


On Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
The news coverage for this has been vigorous, but just in case:


The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.

The article contains links to the CISA announcement and guidance, which have IOCs.
--
Royce

Join nuga@groups.io to automatically receive all group messages.