Scenario: Microsoft recently reported 4 new 0-day exploits that may impact Exchange On-Premises servers.
The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Patch your Exchange On-Premises servers with the latest security patch to protect your environment!!!!
To see if you were impacted or exploited, you can check your log files. Please see the reference article/URL listed at the bottom of this post. My commands used are built off of Microsofts PowerShell commands, except I needed my commands to run on multiple servers, in parallel, and I needed a faster way of evaluating my log files for CVE-2021-26855.
Here are my PowerShell notes that I used:
CVE-2021-26855 – Review the output file for Authenticateduser = $null and AnchorMailbox is like ServerInfo~*/*
$s = “ExOnPremSrv1″,”ExOnPremSrv2”
$S | %{
$Server= $_
$files = get-childitem -recurse -path “\$server\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\HttpProxy” -Filter ‘*.log’
$FileCount = $Files.Count
$c = 0
$results = @()
$outfile = “\FileServer01\c$\temp\$server.txt”
$files.fullname | %{
$C++
$f = $_
"$c OF $FILECOUNT ::: $F"
$temp = findstr "ServerInfo" "$F"
$temp | out-file $outfile -Append
}
}
CVE-2021-26858
$server = “ExOnPremSrv1″,”ExOnPremSrv2”
$server | %{
$s = $_
“Checking $S”
findstr /snip /c:”Download failed and temporary file” “\$s\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog*.log”
}
CVE-2021-26857
$server = “ExOnPremSrv1″,”ExOnPremSrv2”
$Server | %{
$s = $_
“Checking $S”
Get-EventLog -ComputerName $S -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “System.InvalidCastException” }
}
CVE-2021-27065
$server = “ExOnPremSrv1″,”ExOnPremSrv2”
$server | %{
$s = $_
“Checking $S”
Select-String -Path “\$s\c$\PROGRAM FILES\Microsoft\Exchange Server\V15\Logging\ECP\Server*.log” -Pattern ‘Set-.+VirtualDirectory’
}
Ref: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Ex-Shell 