Over the last several days, many organizations have been affected by the Microsoft Exchange Hafnium attacks. As a result, TrustedSec's Incident Response team has gained a lot of experience in a very short time on how to respond to these attacks and what to look for.

Many of the compromised servers we have examined were compromised before patches were available, with backdoors uploaded to them and waiting to be used by attackers. Even in cases where the patch was applied, if a backdoor was uploaded, the servers were still vulnerable to attack.

It is critical that any Microsoft Exchange server that was vulnerable to the attack and was online after the exploit was launched be examined to determine what, if any, activity occurred.

In response to these unique circumstances, we’re offering a new service specific to these attacks: Microsoft Exchange Incident Response Emergency Analysis. In this service, TrustedSec’s Incident Response team will analyze Microsoft Exchange servers that may have been affected by this attack to determine:

• Was the server compromised through the Microsoft Exchange attacks?
• Were any backdoors uploaded to the system?
• Is there any evidence of known post-compromise activity on the systems?
• What actions need to be performed to mitigate any compromise?

With the answers to these questions, organizations can effectively plan their next steps and contain and mitigate any threat.

In this offering, TrustedSec will work with the client to extract key forensic data from Exchange servers. This data will be analyzed for indicators of compromise on the servers and evidence of post-compromise activities. Results will be sent back to the client within one (1) business day after the start of the analysis.

TrustedSec is committed to helping organizations through this attack and giving them the best assurance possible of what may have happened. Please contact us if you think your organization may be affected by the Hafnium attack or to get more information about this service.