Security news that informs and inspires

Microsoft Releases One-Click Mitigation for Exchange Flaw

Microsoft has released a new tool that will install a mitigation for the ProxyLogon vulnerability in Exchange automatically on any vulnerable server.

The new tool is designed specifically to help organizations such as SMBs that likely do not have their own security personnel. Although the mitigation tool is not a complete patch for CVE-2021-26855, the server-side request forgery bug in Exchange that allows initial access, it does make some changes that prevent the exploits for the vulnerability from working. It also will reverse changes to exploited servers made by known threat actors targeting the vulnerability.

“Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update,” Microsoft said.

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.”

Data compiled by RiskIQ from an Internet-wide scan yesterday shows more than 65,000 unpatched Exchange servers worldwide.

The vulnerability that this tool addresses is one part of an attack chain that includes three other flaws in Exchange. Microsoft released emergency patches for all of those vulnerabilities on March 2, saying that a new threat actor it named Hafnium had been exploiting them to take control of mail servers and steal the contents of inboxes. Since then, a number of other groups have begun widespread attacks on these vulnerabilities, including several APT groups and cybercrime groups. In a small number of intrusions, attackers have installed a new ransomware variant called DearCry on servers after the initial compromise.

The attacks have not been limited to high-value targets such as large enterprises, technology companies, government agencies, and research facilities, but have also hit small municipalities, SMBs, and other organizations. That latter population is at a disadvantage relative to the larger companies, as smaller companies often don’t have their own security staff, and possibly not even an IT staff, to install security updates.

Although the patches have been available for two weeks now, there are still many vulnerable servers online. Data compiled by RiskIQ from an Internet-wide scan yesterday shows more than 65,000 unpatched Exchange servers worldwide. That number has been declining steadily, but 65,000 servers still offers plenty of opportunities for attackers, regardless of their motivations or backing.