Chinese State-sponsored attackers used vulnerabilities in Microsoft Exchange to attack over 30,000 companies. The goal is to extract received emails to gather intelligence, banking details, and sensitive information. Shawn Waldman, CEO of Secure Cyber Defense provides details of the attack as well as insights on vulnerabilities that might exist for Office 365 users. So, what steps companies should companies be making to protect themselves from similar attacks? To learn what you should do in the event of a data breach go HERE.
|Specific Items to Monitor for:
Put Sysmon on your Exchange servers, start auditing process events.
Turn on Process Creation Auditing (will give you event ID 4688).
Check inetpub folder contents.
If you go with Sysmon or 4688, pay attention to what w3wp.exe is doing.