Microsoft One-Click Tool Mitigates Exchange Server Attacks

Written by

Microsoft has released a “one-click” tool to help organizations with limited resources to temporarily mitigate the threat posed by recent global attacks on Exchange servers.

The “Microsoft Exchange On-Premises Mitigation Tool” has been designed for customers without dedicated IT or cybersecurity resources to help them patch the four zero-days being exploited in the wild, now know as “ProxyLogon” attacks.

“By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed,” Microsoft said.

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.”

Once it has been run, the tool will mitigate attacks exploiting the above CVE, using a “URL rewrite configuration.” It will also run the Microsoft Safety Scanner and attempt to reverse any changes made by identified threats.

However, the Redmond giant was at pains to point out the tool shouldn’t be used as a replacement for patching, as it only works against attacks seen so far, and “is not guaranteed to mitigate all possible future attack techniques.”

Check Point Research claimed yesterday that it had seen a sixfold increase in exploit attempts targeting the zero-days in Exchange Server Microsoft patched out-of-band at the start of the month.

Although initially Microsoft attributed attacks to a Chinese state-backed actor, dubbed Hafnium, researchers have since claimed that multiple APT groups have been attempting to exploit the same vulnerabilities for remote control, data theft, ransomware and more.

Microsoft warned last Friday that it had detected a new ransomware variant, DearCry, being used in attacks.

The firm has released new updates to cover end-of-life Exchange Server products, and cumulative updates which it said cover 95% of all versions exposed on the internet. As of Friday, around 80,000 servers were still unpatched globally.

What’s hot on Infosecurity Magazine?