Sam Tuke
Note: Postfix is not directly affected. We are sharing it because Exchange and Postfix are frequently deployed together by Lightmeter users, and due to the scale of this attack mail handled by both is under threat.
A sophisticated “nation-state cyberattack” on Microsoft Exchange is continuing to quickly spread among servers which have not yet received patches from Microsoft issued on Tuesday. A group called ‘Hafnium’ is behind the attack and believed to originate in China.
Even servers which were patched the same day that updates were released may have been infected while vulnerable, due to high speed scanning and targeting by Hafnium and other attackers.
Compromised machines have a web-accessible web shell installed allowing remote third party access. The shell remains after security updates, providing password-based remote access.
Microsoft has released a scanning script for identifying compromised servers, and told users to “contact support” for help removing it. Talos has provided its own summary and advice.
Reporting via Brian Krebs, Wired, Microsoft blog and security blog.
Related Posts
1.0.0 Released: Recommended fixes for mailserver IP blocks
Lightmeter 1.0.0 provides recommended fixes for mailserver IP blocks and better blocking reports in an Open Source Postfix monitoring app
Nov 25 2020
0.0.2 Alpha: more accurate and responsive charts
Minor Lightmeter Control Center release 0.0.2 brings responsive charts, faster scripts, and docker builds and registry
May 9 2020
