Microsoft Issues Mitigation Tool for an Exchange Server FlawOne-Click Mitigation Tool Provides Quick Fix for ProxyLogon Exchange Flaw
Microsoft has released an interim mitigation tool designed to help smaller organizations take quick action to prevent attacks that exploit the unpatched ProxyLogon flaw in on-premises Microsoft Exchange servers.
The one-click mitigation tool can assist Microsoft customers who are running either current or no longer supported on-premises versions of Exchange server to mitigate the risk until they can fully implement a patch.
The company warned last week that hackers were exploiting four unpatched flaws in Exchange servers. It has issued patches for all of the flaws (see: Microsoft Patches Four Zero-Day Flaws in Exchange).
Microsoft says it has tested the interim tool to mitigate the ProxyLogon Exchange flaw, CVE-2021-26855, on Exchange Server 2013, 2016 and 2019.
"This new tool is designed as interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update," the company says. "This tool is not a replacement for the Exchange security update, but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange servers prior to patching."
Once the interim tool is downloaded and deployed, users should follow Microsoft's guidance to ensure that their Exchange server is protected, the company says.
The tool comes with the latest Microsoft Safety Scanner and will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed, the company notes.
"If you are already using Microsoft Safety Scanner, it is still live, and we recommend keeping this running as it can be used to help with additional mitigations," the company states.
Last week, when Microsoft first released security updates to patch the flaws, it warned that a new Chinese APT group, which it calls Hafnium, had been exploiting the vulnerabilities.
The security firm ESET, however, reports that at least 10 APT groups have been exploiting the flaws.
Some Exchange servers with the unpatched ProxyLogon flaw are being targeted by DearCry ransomware, which security company Sophos describes as "unsophisticated" and apparently "created by a beginner."