Locate Your Exchange Servers… NOW!

March 9, 2021

In the wake of the Exchange Mass-Hack with the HAFNIUM group and others widely exploiting CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, the team pushed an exposure check into the Core codebase on March 2 that utilizes the device’s fingerprint to quickly and automatically determine vulnerability on your attack surface.

While hopefully you’ve already patched your primary Exchange servers, but there’s a good chance it’s also running at your partners and subsidiaries, that it’s still not patched, and that it’s already compromised.

Given this, it’s more important than ever to have a fast and easy way to identify your assets, their software, and their degree of exposure to these threats. Below, we’ll show you how to get started finding these instances with our OSS Core engine.

Getting the Latest Core

To get the latest Core engine, see our Getting Started page. We’d suggest using the Docker image as updated with every push, and will require zero effort to get started. Just make sure to give your Docker process enough memory.

Scanning from an External Perspective

If you’re scanning from the outside, load up Intrigue Core, create a project:

Add a new project

Hit submit, and then kick off the “Profile an External Organization” Workflow.

When discovering externally, use the ‘Profile and External Organization’ workflow

Enter as many Domains and/or Networks as possible, one per line. The more the better. Core will enumerate hosts and application endpoints, fingerprinting each one as its identified. No other configuration is required. The primary fingerprinting mechanism is looking for OWA exposed on any port running HTTP.

Once identified, you’ll see the following on the Analysis -> App Technology page. This analysis is automatically provided during the discovery process by our unique and open fingerprinting library, Ident.

Application Technologies are automatically identified using the Ident library

Exposure checks are also enabled by default, and thus, as Exchange servers are identified, fingerprinted, and checked for vulnerability, you’ll see an issue entitled “Microsoft Exchange. Multiple RCE CVEs” on the Issues page when a vulnerable service is identified:

Issues are automatically populated during discovery

Scanning from an Internal Perspective

If you’re scanning internally, simply select the “Scan an Internal Network” workflow and enter as many network ranges as you know about. When in doubt, add a range in. Just as with the previous section, issues will be automatically populated as vulnerable instances were found.

Getting the Data Out

To get the data out of an instance, simply hit Export -> Download Issues (CSV), or any other format you prefer. You might also consider setting up automation with our API to run this automatically on a nightly basis, and setting up alerts or automated export using handlers. Our API which makes it easy to automate Core, for details – drop in our Community slack.

Easily download discovered issues using the Export functionality

Intrigue.io – The Easy Button

If you’re short on time, or prefer not to maintain an engine yourself, simply log into Intrigue.io. It’s as fast and easy as you’d expect. We’ll ask you to verify your domain and kick off data collection with a click, automatically running it as often as you’d like. These kind of threats shouldn’t require a firedrill. We help you get, and stay prepared.