Microsoft MSERT helps to scan Exchange Servers

[English]Redmond has added security information to the latest version of the Microsoft Support Emergency Response Tool (MSERT). The tool can now be run to detect and eliminate the latest Exchange Server threats. Specifically, the tool finds installed Web shells in Exchange instances.


The Exchange Meltdown

While Meltdown refers to a hardware vulnerability, it also described perfectly, What has happened to Microsoft's Exchange Server. I had mentioned it in the blog post Exchange Hack News – Test tools from Microsoft and others. Attacks from the suspected state-affiliated Chinese hacker group Hafnium have been using various vulnerabilities (see Exchange server 0-day exploits are actively exploited) in on-premise Exchange Servers to penetrate the instances for months.

The vulnerabilities can only be patched since March 2, 2021 by security updates released by Microsoft. I had reported about it in various blog posts (see links at the end of article). And the Volexity blog (whose security researchers discovered the attack and vulnerabilities) has this post on the subject.

Infizierte Exchange-Server
Infected Exchange servers, Source: Rapid7Click to zoom

In this article, security vendor Rapid7 estimates that there are 170,000 Exchange servers at risk, with "hot spots" in the U.S. and Germany likely to have more than 10,000 instances. Further information and analysis is provided by this Microsoft article, as well as this US-CERT warning. Interesting in this context is this comment from German blog reader Stephan, which points out that the Taiwanese company DEVCORE found two of the vulnerabilities already in December 2020 and reported them to Microsoft. So long before the mass attacks were launched (see the timeline here).

Microsoft MSERT helps Defender with Exchange scan

Currently, of course, the things are worldwide "on fire" – and administrators, if they have noticed, should be checking their Exchange Server instances for an infection immediately. Microsoft has released power shell scripts that are supposed to do that (but won't run on Exchange Server 2010). I had reported briefly in the post Exchange Hack News – Test tools from Microsoft and others. Via updated signature files, Microsoft Defender can detect the following web shells that are installed on systems by attackers via 0-day vulnerabilities:


  • Exploit:Script/Exmann.A!dha
  • Behavior:Win32/Exmann.A
  • Backdoor:ASP/SecChecker.A
  • Backdoor:JS/Webshell 
  • Trojan:JS/Chopper!dha 
  • Behavior:Win32/DumpLsass.A!attk 
  • Backdoor:HTML/TwoFaceVar.B

But there are probably companies that do not use Microsoft Defender as antivirus protection. In this case, the free Microsoft Support Emergency Response Tool (MSERT) is available. This enables a system scan for the above threats.

 Defender Scan auf Exchange-Hack

In the above tweet, SwiftOnSecurity points out that Microsoft has added security information to its Microsoft Support Emergency Response Tool (MSERT). This allows the tool to be run to detect and remediate the latest Exchange Server-related threats. Specifically, the updated Microsoft Safety Scanner (MSERT) can detect Web shells used in recent Exchange Server attacks by the Hafnium group. Microsoft has made the Safety Scanner available for download on its Microsoft Safety Scanner web page. I did some quick research while writing this post – the colleagues at Bleeping Computer described how to use the tool here. But it should noted: If an infection is detected, it's not sufficient to let Defender or MSERT delete the Web Shell – further analysis is required, to find out, if the system have been cleaned.

Similar articles
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *