Rapid Response: Mass Exploitation Of On-Prem Exchange Servers

By John Hammond, Huntress

UPDATED 05 March @ 1347pm ET: Added instructions on verifying patch status and new IOCs.
UPDATED 05 March @ 1904pm ET: Added PowerShell syntax to verify patch status.
UPDATED 06 March @ 0004am ET: Added official Microsoft NSE script and new post-exploitation. 
UPDATED 06 March @ 0317am ET: Added analysis leading to "stage 6": Cobalt Strike & Mimikatz.

On March 1, our team was notified about undisclosed Microsoft Exchange vulnerabilities successfully exploiting on-prem servers. After the tip from one of our MSP partners, we confirmed the activity and Microsoft has since released an initial blog and emergency patches for the vulnerabilities. 

The purpose of this blog post is to spread the word that this is being actively exploited in the wild. At the moment, we’ve discovered 350+ webshells across roughly 2,000 3,000 vulnerable servers (majority have AV/EDR installed) and we expect this number to keep rising. 

UPDATE 05 March 1347pm ET: Currently we have visibility on roughly 3,000 Exchange servers. We see ~800 remain unpatched without the hotfix for an up-to-date CU version number.

We will continue to update this blog with our observations and IOCs to drive awareness. You can also check out our reddit thread to stay up to date.