Menu

If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
Exchange servers are under attack, again. These are not the Hafnium Webshells, these are Proxyshells that are being used to compromise onsite Exchange environments. Microsofts latest patch may not be effective in keeping your Exchange environment safe.
One indicator of compromise is draft emails that were not created by the mailbox owner.
There was a patch made available by Microsoft on August 24th 2021. These patches and vulnerabilities are now under review by Microsoft, so it is unclear if these vulnerabilities are still being exploited despite the patch.
C:\inetpub\wwwroot\aspnet_client\
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
C:\Windows\System32\inetsrv\Config\applicationHost.config
C:\inetpub\temp\apppools\MSExchangeECPAppPool\MSExchangeECPAppPool.config
C:\ProgramData\
C:\Users\All Users\COM
C:\Users\All Users\COM1
C:\Users\All Users\CON
C:\Users\All Users\WHO
C:\Users\All Users\XYZ
C:\Users\All Users\ZOO
C:\Users\All Users\ZING
If you have found draft emails that just appeared or any of the Proxyshell IOC’s listed on this page, then you may be compromised.
Contact us, we can help. 612-399-9680
1. Download the latest version of Exchange on the target computer. For more information, see Updates for Exchange Server.
2. In File Explorer, right-click on the Exchange CU ISO image file that you downloaded, and then select Mount. In the resulting virtual DVD drive that appears, start Exchange Setup by double-clicking Setup.exe.
3. The Exchange Server Setup wizard opens. On the Check for Updates? page, choose one of the following options, and then click Next to continue:
4. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are copied to %WinDir%\Temp\ExchangeSetup, but you can confirm the location in the Exchange Setup log at C:\ExchangeSetupLogs\ExchangeSetup.log.
5. The Upgrade page shows that Setup detected the existing installation of Exchange, so you’re upgrading Exchange on the server (not installing a new Exchange server). Click Next to continue.
6. On the License Agreement page, review the software license terms, select I accept the terms in the license agreement, and then click Next to continue.
7. On the Readiness Checks page, verify that the prerequisite checks completed successfully. If they haven’t, the only option on the page is Retry, so you need to resolve the errors before you can continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so you can continue. Be sure to review any warnings, and then click Install to install Exchange.
8. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
9. On the Setup Completed page, click Finish, and then restart the computer.
Security Update 1 for Exchange Server 2016 Cumulative Update 21 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):
Security Update 3 for Exchange Server 2016 Cumulative Update 20 resolves vulnerabilities in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):
Important: To be able to successfully install this security update, you must first follow the steps in this article to make sure that the server authentication certificate is present and is not expired. If the OAuth certificate is not present or is expired, republish the certificate before you install this update.
When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.
This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.
Note: This issue does not occur if you install the update through Microsoft Update.
To avoid this issue, follow these steps to manually install this security update:
To fix this issue, use Services Manager to restore the startup type to Automatic , and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator .
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ .
To get the standalone package for this update, go to the Microsoft Update Catalog website.
You can get the standalone update package through the Microsoft Download Center.
Contact
Emergency Hotline 612-399-9680
General Number
612-888-9674
Mailing Address
1360 University Ave Ste 104 Unit 122
St. Paul MN 55104