24 Mar Hafnium Hack – How to run the patches, with simple detailed instructions.
Why make such a “How to”?
Because all articles we found so far, talk about what to do, but none shows how to do it.
So let’s start.
1. HOW TO KNOW IF YOU ARE “INFECTED”
Download the “Test-ProxyLogo n.ps1” script from the following Microsoft link: https://github.com/microsoft/CSS-Exchange/tree/main/Security
Open your “Exchange Management Shell” ((click on the magnifying glass on the lower left corner of your screen and type the name)
2. INSTALL THE LATEST CU
Before you can apply the “.msb” patch you need to have the latest CU already installed!
3. run your Exchange patch
After the CU is installed then you can run your Exchange patch.
You can download it from Microsoft site: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b
4. Block suspicious IPs
According to Cisa.gov, a number of servers were reported as suspicious: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
For extra security we decided to block the above IPs both for WAN and LAN traffic (incoming and outgoing connections) into our firewall.
After some hours we noticed WAN traffic coming in from those IPs: It seems they tried to see if the Exchange server was still available for whatever they intended to do..