alphaspirit - stock.adobe.com
Microsoft has released a one-click mitigation tool to enable customers who may not have dedicated security or IT teams to apply emergency patches to their on-premise Exchange servers against the ProxyLogon vulnerabilities.
Redmond said it had been working actively with customers through its support teams, third-party hosting providers and its channel partner network to help them secure their environments and respond to threats resulting from attacks exploiting ProxyLogon – which began through a state-linked Chinese group known as Hafnium and have since spread far and wide to be exploited by many others, including ransomware gangs.
Based on these engagements, Microsoft’s teams realised there was a clear need for a “simple, easy-to-use, automated” solution to meet the needs of customers using current and out-of-support versions on on-premise Exchange Server.
Tested across Exchange Server 2013, 2016 and 2019 deployments, Microsoft said the new tool was supposed to serve as an “interim mitigation” for users who may not necessarily be familiar with standard patch and update procedures, or who have not yet applied the updates, which dropped on 2 March.
“By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed,” said Microsoft in its release notes.
“This tool is not a replacement for the Exchange security update, but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premise Exchange Servers prior to patching.”
Users who wish to take advantage of the tool should download it from Microsoft here, and run it on their Exchange Servers immediately, prior to following the established guidance here. Users who are already running Microsoft Safety Scanner should continue to do so to assist with further mitigations.
Once it has run, the new tool will mitigate against current known attacks exploiting CVE-2021-26855 – the initial entry vector, a server-side request vulnerability that enables a malicious actor to send arbitrary HTTP requests and authenticate as their target Exchange server – using a URL rewrite configuration, scan the Exchange Server for any issues, and attempt to reverse any changes that identified threats may have made. It should not affect any Exchange Server functionality.
It is important to note that this tool is effective only against attacks and exploits seen to date and is not guaranteed to fix attacks that may emerge in the immediate future – therefore, it should only be used as a temporary fix until full updates can be applied.
Microsoft is recommending it over its previous mitigation script as it is tuned based on up-to-date intelligence, but if you have started using the previous one, added its experts, it is absolutely fine to change to the new one.
More technical information, examples and guidance on using the tool can be found on GitHub.
Microsoft Exchange Server cyber attack timeline
- 3 March: Microsoft releases an emergency patch to address multiple zero-day exploits directed at on-premise installations of Exchange Server.
- 4 March: US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer.
- 5 March: Analysis from technical teams at FireEye’s Mandiant tracked activity exploiting newly disclosed vulnerabilities in Microsoft Exchange Server more than a month ago.
- 8 March: Microsoft said it’s seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.
- 9 March: European Banking Authority was breached through vulnerabilities in Microsoft Exchange Server, but is now back online.
- 10 March: Microsoft’s March Patch Tuesday update drops amid ongoing fall-out from widespread Exchange attacks.
- 11 March: Norway’s Parliament, the Storting, suffers second major cyber incident in a year as threat groups capitalise on vulnerable Microsoft Exchange Servers.
- 12 March: As predicted, ransomware gangs have started to target vulnerable instances of Microsoft Exchange Server, making patching an even greater priority.
- 12 March: UK’s national cyber agency calls on organisations affected by the ProxyLogon vulnerabilities to patch their Microsoft Exchange Servers immediately.
- 15 March: Exploitations of the Microsoft Exchange ProxyLogon vulnerabilities have increased tenfold in just four days.