Microsoft has recently published a very new, one-click mitigation tool, as Microsoft has recently identified various 0-day exploits that are generally being used by different threat actors to target the on-premises version of Microsoft Exchange Servers.
This Microsoft Exchange On-Premises Mitigation Tool generally enables the customers to address the vulnerabilities immediately that are being exploited in the current attacks.
This campaign was initially attributed to the China-linked hacker group, Hafnium, but, in reality, the security flaws that are exploited in this campaign are beyond Hafnium.
According to the report, the vulnerabilities that are being exploited recently are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
Moreover, after a proper investigation that is executed by CyberNews, pronounces that there are still thousands of servers that are vulnerable after being released so many security updates as well as a one-click mitigation tool.
The cybersecurity experts have concluded that they have detected that more than 60000 vulnerable servers, that are left unpatched in the wild. Since we are looking at the “CVE-2021-26855” flaw only, but, the truth is that the vulnerable servers that contain the CVE-2021-26855, also contain the other flaws (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) as well.
Apart from this, in total, the security analysts have detected 62,174 vulnerable servers, and among them, most servers are from the US. The second place is obtained by Germany, third is France, the fourth UK, and the fifth most affected country is Italy.
However, currently, there are less than 10000 vulnerable systems, as last week the number of vulnerable systems fell by 45%, reported by the National Security Council (NSC).
Microsoft’s Mitigation Tool
This one-click Exchange On-premises Mitigation Tool (EOMT) basically offers the latest Microsoft Safety Scanner that enables all the small business owners to mitigate the very recent ProxyLogon vulnerabilities and the CVE-2021-26855 on any Exchange server.
In the Microsoft Exchange attack, there is Four Zero-day vulnerability that was used in this attack. As we said above that all these vulnerabilities are described as ProxyLogon and this vulnerability is actively being utilized by the threat actors to drop a web shell, crypto miners.
The cybersecurity experts have designed this new tool just like interim mitigation for all the customers, generally, those who were unfamiliar with the new updates method or those who have still not administered the on-premises Exchange security update.
Tasks could be performed by EOMT
In general, anyone who is using the tool can perform 3 tasks, and here they are mentioned below:-
- It enables you to mitigate against CVE-2021-26855, by utilizing the URL Rewrite configuration.
- This tool offers you the latest Microsoft Safety Scanner which enables you to scan the Exchange Server.
- It also allows you to reverse all the unknown and uncertain changes that are made by the recently recognised threats.
This vulnerability plays its role as an attack chain, and all the attacks, especially the initial attack, always require the ability to make an untrusted connection so that it can Exchange server port 443.
The experts affirmed that Microsoft can protect it by restricting all untrusted connections, or it can also protect by setting up a VPN to insulate the Exchange server from external access.
One should use all the mitigations properly, as using this mitigation will help to defend against the initial portion of the attack.
That’s why the security researchers have recommended that one should always prioritize installing updates on Exchange Servers.