Microsoft has released the EOMT.ps1 tool that can automate portions of both the detection and patching process and help your organization check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
In addition, CISA has added seven Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actors can upload a webshell to enable remote administration of the affected system.
CISA has also added information on ransomware activity associated with exploitation of the Exchange Server products, including DearCry ransomware.
CISA encourages users and administrators to review the following resources for more information.
- Microsoft IOC Detection Tool for Exchange Server Vulnerabilities: https://github.com/microsoft/CSS-Exchange/tree/main/Security
- Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
- MAR-10328877-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a
- MAR-10328923-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b
- MAR-10329107-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c
- MAR-10329297-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d
- MAR-10329298-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e
- MAR-10329301-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f
- MAR-10329494-1.v1: China Chopper Webshell: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g
- CISA’s Remediating Microsoft Exchange Vulnerabilities web page: https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
- CISA’s Ransomware Guidance and Resources web page: https://www.cisa.gov/ransomware
Please contact CISA (via email at central@cisa.dhs.gov or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response.
Respectfully,
Cybersecurity and Infrastructure Security Agency
Defend Today Secure Tomorrow
