Date
1 - 12 of 12
Exchange /OWA vulnerability actively exploited
The news coverage for this has been vigorous, but just in case:
The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.
The article contains links to the CISA announcement and guidance, which have IOCs.
--
Royce
Royce
An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):
https://www.techsolvency.com/alaskan-networks/
But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D
--
Royce Williams
Tech Solvency
Tech Solvency
On Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
The news coverage for this has been vigorous, but just in case:The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
Leon Jaimes
Thanks Royce!
I have a client whose server was hit on the afternoon of 3/1, so I would encourage folks to check logs for IoCs even if they patched on 3/2. I found this one by searching logs for the IP addresses that CISA published in their TA.
Cheers,
IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Sollievo IT, LLC may contain information that is confidential and legally privileged.
Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.
Leon Jaimes [mobile]
Founder and Principal Security Architect
Sollievo IT, LLC
CAUTION: This is an external email.The news coverage for this has been vigorous, but just in case:
The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.
The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
Microsoft also added some mitigations here:
--
Royce Williams
Tech Solvency
Tech Solvency
On Fri, Mar 5, 2021 at 3:03 PM Royce Williams <royce@...> wrote:
An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):https://www.techsolvency.com/alaskan-networks/But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D--Royce Williams
Tech SolvencyOn Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:The news coverage for this has been vigorous, but just in case:The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
Peter Barclay PCNI
Thanks Royce for your perseverance.
From: nuga@groups.io <nuga@groups.io> on behalf of Royce Williams <royce.williams@...>
Sent: Friday, March 5, 2021 4:01:38 PM
To: nuga@groups.io <nuga@groups.io>
Cc: AKLUG <aklug@...>
Subject: Re: [nuga] Exchange /OWA vulnerability actively exploited
Sent: Friday, March 5, 2021 4:01:38 PM
To: nuga@groups.io <nuga@groups.io>
Cc: AKLUG <aklug@...>
Subject: Re: [nuga] Exchange /OWA vulnerability actively exploited
Microsoft also added some mitigations here:
--
Royce Williams
Tech Solvency
Tech Solvency
On Fri, Mar 5, 2021 at 3:03 PM Royce Williams <royce@...> wrote:
An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):
https://www.techsolvency.com/alaskan-networks/
But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D
--Royce Williams
Tech Solvency
On Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
The news coverage for this has been vigorous, but just in case:
The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.
The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
And here is an official Microsoft nmap script to help detect vulnerable instances:
--
Royce Williams
Tech Solvency
Tech Solvency
On Fri, Mar 5, 2021 at 4:01 PM Royce Williams <royce@...> wrote:
Microsoft also added some mitigations here:https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/--Royce Williams
Tech SolvencyOn Fri, Mar 5, 2021 at 3:03 PM Royce Williams <royce@...> wrote:An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):https://www.techsolvency.com/alaskan-networks/But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D--Royce Williams
Tech SolvencyOn Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:The news coverage for this has been vigorous, but just in case:The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
Leon Jaimes
I now have IoC artifacts going back to 2/26 from 192.81.208.169 on one clients logs.
POST to /ecp/y.js seems to be a common request.
IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Sollievo IT, LLC may contain information that is confidential and legally privileged.
Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system.
Leon Jaimes [mobile]
Founder and Principal Security Architect
Sollievo IT, LLC
CAUTION: This is an external email.And here is an official Microsoft nmap script to help detect vulnerable instances:
--Royce Williams
Tech Solvency
On Fri, Mar 5, 2021 at 4:01 PM Royce Williams <royce@...> wrote:
Microsoft also added some mitigations here:https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
--Royce Williams
Tech Solvency
On Fri, Mar 5, 2021 at 3:03 PM Royce Williams <royce@...> wrote:
An option to buy time: you can limit OWA to just Alaskan networks (will still impact distribute workforce, but can at least lessen collateral damage):
https://www.techsolvency.com/alaskan-networks/
But I would consider even that to be temporary. The threat actor is like quite busy managing all of their newly compromised hosts. Making them come from Alaskan IP space to target you next makes you only slightly less low-hanging fruit. :D
--Royce Williams
Tech Solvency
On Fri, Mar 5, 2021 at 2:45 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
The news coverage for this has been vigorous, but just in case:
The general consensus is that if you still have public-facing OWA, and it was not patched (or blocked from public access) as soon as the Microsoft announcement came out, you should basically assume that it's compromised at this point.
The article contains links to the CISA announcement and guidance, which have IOCs.--
Royce
A scan of Alaskan space reveals ~100 Exchange instances still vulnerable.
ACS:
GCI:
All others (includes "hits" in Alasconnect, AP&T, MTA, TelAlaska, SnowCloud, UA space):
Unless reverse DNS is in place, or the server has been rebranded visually it's often difficult to tell what entity owns the server at that IP.
--
Royce
On Sat, Mar 6, 2021 at 8:35 AM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
And here is an official Microsoft nmap script to help detect vulnerable instances:
Microsoft has released a one-click Exchange self-remediation tool, so that orgs without dedicated IT staff or specialists can easily apply the patches.
--
Royce Williams
Tech Solvency
Tech Solvency
On Sat, Mar 6, 2021 at 10:39 AM Royce Williams <royce@...> wrote:
A scan of Alaskan space reveals ~100 Exchange instances still vulnerable.ACS:GCI:All others (includes "hits" in Alasconnect, AP&T, MTA, TelAlaska, SnowCloud, UA space):Unless reverse DNS is in place, or the server has been rebranded visually it's often difficult to tell what entity owns the server at that IP.--RoyceOn Sat, Mar 6, 2021 at 8:35 AM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:And here is an official Microsoft nmap script to help detect vulnerable instances:
Microsoft has summarized their Exchange guidance today, here:
--
Royce Williams
Tech Solvency
Tech Solvency
On Mon, Mar 15, 2021 at 4:17 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:
Microsoft has released a one-click Exchange self-remediation tool, so that orgs without dedicated IT staff or specialists can easily apply the patches.--Royce Williams
Tech Solvency
Donovon Dildine
Thanks Royce for all the helpful links and IP addresses, etc.
Donovon
On Tue, Mar 16, 2021 at 2:04 PM Royce Williams <royce.williams@...> wrote:
Microsoft has summarized their Exchange guidance today, here:--Royce Williams
Tech SolvencyOn Mon, Mar 15, 2021 at 4:17 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:Microsoft has released a one-click Exchange self-remediation tool, so that orgs without dedicated IT staff or specialists can easily apply the patches.--Royce Williams
Tech Solvency
--
Donovon
Shane Spencer
I believe it is also possible to use a publicly accessible frontend proxy like NGINX and enforce client certificates which you would need to generate and distribute. Correct me if I am wrong.
Another fun approach is to test the limits of ZeroTier on mobile and desktop and lock everything right the heck down.
On Wed, Mar 17, 2021 at 4:57 PM Donovon Dildine <time.corp@...> wrote:
Thanks Royce for all the helpful links and IP addresses, etc.DonovonOn Tue, Mar 16, 2021 at 2:04 PM Royce Williams <royce.williams@...> wrote:Microsoft has summarized their Exchange guidance today, here:--Royce Williams
Tech SolvencyOn Mon, Mar 15, 2021 at 4:17 PM Royce Williams via groups.io <royce.williams=gmail.com@groups.io> wrote:Microsoft has released a one-click Exchange self-remediation tool, so that orgs without dedicated IT staff or specialists can easily apply the patches.--Royce Williams
Tech Solvency
--Donovon
--
|
Shane Spencer
about.me/ShaneSpencer
|