On March 2nd, Microsoft disclosed that four Exchange Server zero-day vulnerabilities were being used in attacks against exposed OWA servers. These vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065.
These vulnerabilities, aka 'ProxyLogon', are being used to steal mailboxes, harvest credentials, and deploy web shells to access the internal network.
And thus, Microsoft thas released a tool called Microsoft Safety Scanner, also known as the Microsoft Support Emergency Response Tool (MSERT), is a standalone portable antimalware tool that includes Microsoft Defender signatures to scan for and remove detected malware.
MSERT is an on-demand scanner and good to be used for spot scans.
Microsoft Safety Scanner
- https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
If you would like to scan for web shells without removing them, you can use a new PowerShell script named detect_webshells.ps1 created by CERT Latvia.
- https://github.com/cert-lv/exchange_webshell_detection
Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.
- https://github.com/microsoft/CSS-Exchange/tree/main/Security