Microsoft Exchange Server has several serious vulnerabilities that have recently been closed with an update, but is being heavily exploited by cybercriminals. The creator now offers administrators the option to use a PowerShell script to check if the Exchange server has already been successfully attacked.
PowerShell script provided on GitHub
A PowerShell script is available at Microsoft’s GitHub repository ‘CSS-Exchange’ (‘powered by Support Engineers for Microsoft Exchange Server’) that checks one or more Exchange servers for traces left by a successful attack. About that Reported BleepingComputer. Microsoft publicly created the vulnerabilities, including an update on March 2 – at this point, however, attacks on them were already seen (zero days). If an attacker associates vulnerabilities with the names CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, this attack is known as “Prologon”. This allows the code to be executed remotely and requires active Outlook Web Access (OWA).
PS-Script Test-Proxylogon. PS1 Bith GitHub Looks at the characteristics of attacking ProxyLogon’s specialties. Microsoft had already published the details in a blog post, but this script summarizes manual tests and makes it much easier for administrators to check their Exchange servers. The script searches the Exchange log, the Exchange HttpProxy log and the Windows application event log.
The script outputs its results directly to a local Exchange server (on the Exchange Management Shell):
Production can be saved:
.Test-ProxyLogon.ps1 -OutPath $homedesktoplogs
If you operate multiple Exchange servers, you can test all systems at once (and save the result):
Get-ExchangeServer | .Test-ProxyLogon.ps1 -OutPath $homedesktoplogs
Exchange administrators should immediately close vulnerabilities by installing the latest updates and, if possible, also use this script to check your system for an attack. The extent of attacks that have already taken place is clearly considerable; Estimates are based on tens of thousands of systems in Germany that are least vulnerable and may have already been attacked. BSI has warned of a nuisance for IT security and advised you to take immediate action.