Attack on Exchange Server – Microsoft provides test script for login

Attack on Exchange Server - Microsoft provides test script for login

Microsoft Exchange Server has several serious vulnerabilities that have recently been closed with an update, but is being heavily exploited by cybercriminals. The creator now offers administrators the option to use a PowerShell script to check if the Exchange server has already been successfully attacked.

A PowerShell script is available at Microsoft’s GitHub repository ‘CSS-Exchange’ (‘powered by Support Engineers for Microsoft Exchange Server’) that checks one or more Exchange servers for traces left by a successful attack. About that Reported BleepingComputer. Microsoft publicly created the vulnerabilities, including an update on March 2 – at this point, however, attacks on them were already seen (zero days). If an attacker associates vulnerabilities with the names CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, this attack is known as “Prologon”. This allows the code to be executed remotely and requires active Outlook Web Access (OWA).

PS-Script Test-Proxylogon. PS1 Bith GitHub Looks at the characteristics of attacking ProxyLogon’s specialties. Microsoft had already published the details in a blog post, but this script summarizes manual tests and makes it much easier for administrators to check their Exchange servers. The script searches the Exchange log, the Exchange HttpProxy log and the Windows application event log.

The script outputs its results directly to a local Exchange server (on the Exchange Management Shell):

.Test-ProxyLogon.ps1

Production can be saved:

.Test-ProxyLogon.ps1 -OutPath $homedesktoplogs

If you operate multiple Exchange servers, you can test all systems at once (and save the result):

Get-ExchangeServer | .Test-ProxyLogon.ps1 -OutPath $homedesktoplogs

Exchange administrators should immediately close vulnerabilities by installing the latest updates and, if possible, also use this script to check your system for an attack. The extent of attacks that have already taken place is clearly considerable; Estimates are based on tens of thousands of systems in Germany that are least vulnerable and may have already been attacked. BSI has warned of a nuisance for IT security and advised you to take immediate action.

READ  Google will delete many accounts from June, but users can still trade


(Tiwari)

On home page

More from Laurence Porter
Hogwarts Legacy announces release date with postponement
Hogwarts Legacy has a release date, but it’s no longer 2022. Harry...
Read More
Leave a comment

Your email address will not be published. Required fields are marked *