Whats HAFNIUM with Exchange On-Premises?

Scenario: Microsoft recently reported 4 new 0-day exploits that may impact Exchange On-Premises servers.

The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065

Patch your Exchange On-Premises servers with the latest security patch to protect your environment!!!!

To see if you were impacted or exploited, you can check your log files. Please see the reference article/URL listed at the bottom of this post. My commands used are built off of Microsofts PowerShell commands, except I needed my commands to run on multiple servers, in parallel, and I needed a faster way of evaluating my log files for CVE-2021-26855.

Here are my PowerShell notes that I used:

CVE-2021-26855 – Review the output file for Authenticateduser = $null and AnchorMailbox is like ServerInfo~*/*

$s = “ExOnPremSrv1″,”ExOnPremSrv2”

$S | %{
$Server= $_
$files = get-childitem -recurse -path “\$server\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’
$FileCount = $Files.Count
$c = 0
$results = @()
$outfile = “\FileServer01\c$\temp\$server.txt”

$files.fullname | %{
    $f = $_
    "$c OF $FILECOUNT :::  $F"
    $temp =  findstr "ServerInfo" "$F"
    $temp | out-file $outfile -Append



$server = “ExOnPremSrv1″,”ExOnPremSrv2”
$server | %{
$s = $_
“Checking $S”
findstr /snip /c:”Download failed and temporary file” “\$s\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog*.log”


$server = “ExOnPremSrv1″,”ExOnPremSrv2”

$Server | %{
$s = $_
“Checking $S”
Get-EventLog -ComputerName $S -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “System.InvalidCastException” }


$server = “ExOnPremSrv1″,”ExOnPremSrv2”

$server | %{
$s = $_
“Checking $S”
Select-String -Path “\$s\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\ECP\Server*.log” -Pattern ‘Set-.+VirtualDirectory’

Ref: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: