[German]Microsoft is taking the next step in securing on-premises Exchange installations. Microsoft Defender not only detects infections of a system as a result of the ProxyLogon vulnerabilities. The virus scanner can also automatically detect a vulnerable system and closes the CVE-2021-26855 vulnerability on Exchange Server.
Hundreds of thousands of Exchange servers vulnerable
After all, at the beginning of March 2021 it became known that there were four vulnerabilities in on-premises Exchange Server versions 2013 – 1019, which allow compromising the installation with takeover. And the suspected state-affiliated Chinese hacking group Hafnium had managed to use these vulnerabilities to penetrate on-premises Exchange Servers for months. The vulnerability was not closed by security updates until March 2, 2021. I had reported about it in various blog posts (see links at the article’s end).
The attackers’ goal was to gain control of victims’ emails and possibly access and infiltrate their network infrastructure via Active Directory permissions. Administrators around the world were busy securing Exchange servers that could be accessed via the Internet through port 443 and were vulnerable to attack. Mass scans have been underway since late February 2021 to compromise vulnerable Exchange servers and install a web shell as a backdoor. Security vendors identified 170,000 to 280,000 potentially vulnerable Exchange instances.
Microsoft did release tools to detect infected Exchange systems. In addition, 9,000 Exchange servers have been taken offline in Germany in the last two weeks or access to OWA from the Internet has been prevented. However, approximately 12,000 of 56,000 Exchange servers with open OWA in Germany are still vulnerable to ProxyLogon. Meanwhile, cyber criminals and at least ten threat actors are also targeting vulnerable Exchange systems via the vulnerabilities and infecting them with ransomware or crypto miners.
Microsoft has released PowerShell scripts and tools to detect infections on Exchange Servers (see links at the end of the article) and also to fix them (Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released). But that’s probably not enough to quickly get a handle on Exchange Server instances.
Microsoft Defender hardens Exchange installations
As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016 and 2019, Microsoft is actively working with customers and partners to help them secure Exchange Server systems. In addition to security updates and the Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT), Windows Defender has already been able to detect certain malware.
Microsoft has just announced that both Microsoft Defender and System Center Endpoint Protection have been enhanced to automatically mitigate the CVE-2021-26855 vulnerability in unpatched instances of Exchange Server 2013-2019. With the latest Security Intelligence Update, Microsoft Defender Antivirus and System Center Endpoint Protection automatically mitigate the CVE-2021-26855 vulnerability on all vulnerable Exchange servers.
All that is required is that one of the aforementioned antivirus programs be installed on the Exchange server. User customers need do nothing more than ensure they have the latest Security Intelligence Update (build 1.333.747.0 or later) installed. If automatic updates are enabled, this new build will come automatically.
A scan will mitigate the CVE-2021-26855 vulnerability. Furthermore, the server is subjected to a scan and any tampering by known attackers that may be found is then reversed. This preliminary mitigation is intended to help customers protect themselves and allow time to install the latest Exchange cumulative update for their version. More details can be found in this Microsoft blog post.
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator’s Repository for affected Exchange systems
Microsoft Exchange (On-Premises) one-click Mitigation Tool (EOMT) released
Security update for Exchange Server 2013 SP1; CUs for Exchange 2019 and 2016 (03/16/2021)
Exchange ProxyLogon News: Patch status, new PoC and new findings (03/18/2021)
Cookies helps to fund this blog: Cookie settings