Hello, welcome to the Monday, March 8th, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Let's start with an update on the Microsoft Exchange vulnerability.

The part that I think has not really been made very clear is that before the

patch was released. The group that started with some of these target exploits apparently

did scan off the internet and exploited all exchange servers that they were able to find in the couple

days before Microsoft was able to release a patch. So what this means is that first of all,

there are tens of thousands of exploited exchange servers out there that has also been

confirmed by traffic observed to some of the command control servers.

And if you have an exchange server that was exposed to the internet, chances are it got exploited.

So one of the things you definitely should do today, even if you already patched, if you already checked, double check, make sure that

your exchange server has not been compromised. Microsoft published a PowerShell script to help with

this. Also, the NCC group published a list with known good hashes for exchange servers with

different patch levels. So that's really helpful to sort of

find odd different binaries that may have been left behind that are not listed in these

common indicators of compromise lists that you may have found. And then please double check that

the patch actually got applied. Apparently in particular, if you're

using user account control on your exchange server, it's very important that you do run the

patch as administrator. If you applied manually, if you don't run it as administrator, and if you're

using user account control,

then the patch appears to apply, but it does not correctly update all the files. So you may still

...