Note: Postfix is not directly affected. We are sharing it because Exchange and Postfix are frequently deployed together by Lightmeter users, and due to the scale of this attack mail handled by both is under threat.
A sophisticated “nation-state cyberattack” on Microsoft Exchange is continuing to quickly spread among servers which have not yet received patches from Microsoft issued on Tuesday. A group called ‘Hafnium’ is behind the attack and believed to originate in China.
Even servers which were patched the same day that updates were released may have been infected while vulnerable, due to high speed scanning and targeting by Hafnium and other attackers.
Compromised machines have a web-accessible web shell installed allowing remote third party access. The shell remains after security updates, providing password-based remote access.
Microsoft has released a scanning script for identifying compromised servers, and told users to “contact support” for help removing it. Talos has provided its own summary and advice.
Reporting via Brian Krebs, Wired, Microsoft blog and security blog.