Microsoft released a simple application that mitigates the ProxyLogon vulnerabilities in Microsoft Exchange Servers prior to patching.
A widespread series of attacks hit multiple companies using Exchange Servers in the past month or so. The attacks are attributed to Chinese state-sponsored hackers known as Hafnium.
Last week, Microsoft said that of the roughly 400,000 Exchange servers deployed across the internet, 80,000 servers haven’t been patched against the ProxyLogon vulnerabilities yet.
The company recommends using the new script over the previously released ExchangeMitigations.ps1 script. The tool is available for download in Microsoft’s official GitHub account.
The new tool is called the Exchange On-premises Mitigation Tool (EOMT) and written in PowerShell. It will help companies that don’t employ security teams to update their on-premises Exchange Servers.
“We realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server,” Microsoft wrote in a press release.
Any company’s employee can download EOMT on a Windows system running an Exchange mail server and execute the EOMT.ps1 PowerShell script by double-clicking it.
“The Exchange On-premises Mitigation Tool automatically downloads any dependencies and runs the Microsoft Safety Scanner. This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation,” Microsoft wrote.
The script automatically installs a URL Rewrite configuration which will mitigate the CVE-2021-26855 vulnerability. The tool also runs a copy of the Microsoft Safety Scanner app to scan the Exchange server for known web shells. It can automatically remove any found backdoor and cut off the attacker’s access.
Microsoft says the tool can be used to apply mitigations and to double-check that past mitigations applied manually have been installed correctly. Those who installed patches released on March 2 and those released on March 9 do not need to use EOMT.