This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
@C_C_Krebs @briankrebs Unless you are in a local government system in any way connected to voting systems... in that case you have no need to investigate anything because you have the most secure computers in the history of America.
@C_C_Krebs Are we sure about the 2/26 date? @FireEye, @Volexity reporting early January activity. Possibly this from @TrendMicro, too: trendmicro.com/en_us/research…
@C_C_Krebs Is ActiveSync included vulnerable interface into exchange?
@C_C_Krebs @rene_mobile Why does Microsoft let these products ship without adequate QA?
@C_C_Krebs @TheDaverSC Thank you for helping America for free. You should have your job back!