On 3/5/21, KrebsOnSecurity published an article on a number of Microsoft Exchange Server vulnerabilities being exploited by Chinese cyber espionage groups.

When these servers were compromised, a web shell was left as a backdoor for them to execute shell commands through a web browser to get admin access to the servers. Microsoft has released emergency security updates for patching as this impacts self-hosted, on-prem MS Exchange Servers 2013 - 2019.

According to Chris Krebs, orgs that run OWA servers exposed to the internet should assume compromise between 02/26-03/03 and should check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet\_client\system\_web\.

Now that the hackers are in, it’s time to clean house as patching these servers isn’t enough. Orgs impacted should really be looking for any signs of malware or other backdoors left that might allow the attackers to come back. The best course of action would be to rebuild these servers completely to ensure no malicious software is installed.

Microsoft has posted IOCs here, the mitigation guide here, and information about the updates here.

Microsoft has stated that this isn’t connected to the SolarWinds attacks that happened earlier last year.

Sources: arstechnica, KrebsOnSecurity