Over 30,000 organisations have been affected by the recent Microsoft Exchange Server vulnerability announced last week. Experts have learned that, after accessing the victim’s environment, criminals leave behind a web shell or back door, a hacking tool that can be used by the criminal to subsequently access the same environment. Critically, the criminal’s web shell remains even after the Exchange Server is patched with the latest Microsoft updates. Therefore, all Exchange Servers should be inspected for signs of unauthorised access and any web shells must be removed.
Here's what you need to do.
STEP ONE: Patch first!
All Exchange servers should be patched immediately to address the four identified vulnerabilities.
STEP TWO: Investigate whether you've been compromised
Review Microsoft’s advice and download the Microsoft Safety Scanner (a Microsoft-developed scan tool) on your Exchange Server to run a full scan. This tool will automatically delete any detected files and not quarantine them. Once the scan is complete, the tool will report the deleted files. When done using the scanner, uninstall the tool simply by deleting the msert.exe executable. Importantly, this tool is only used for spot scans and should NOT be relied upon as an antivirus program.