News

Microsoft Releases Exchange On-Premises Mitigation Tool to Address Hafnium Attacks Quickly

• By Kurt Mackie
• 03/16/2021

Microsoft on Tuesday announced the release of a one-click tool to apply temporary security protections against the recent Exchange Server attacks from the "Hafnium" advanced persistent threat group and other attackers.

The Hafnium purported nation-state attacks have quickly shifted to other threat actors who are using the zero-day Exchange Server exploits to install ransomware, Microsoft acknowledged on Friday. About 83,000 servers were yet to be patched, it noted at that time. The chaining of the four Exchange Server exploits by the Hafnium group are sometimes referred to as the "ProxyLogon" attacks.

Exchange On-Premises Mitigation Tool
The newly released "Exchange On-Premises Mitigation Tool" works with Exchange Server 2013, 2016 and 2019 products. It can also work with Exchange Server 2010 product if PowerShell 3 is supported, but it has "minimal functionality."

The tool is a PowerShell script that automates Microsoft's recommended mitigation steps for organizations that haven't applied the latest cumulative updates to Exchange Server, as well as its March 2 out-of-band security patches.

Microsoft still recommends that organizations keep Exchange Server patched with the latest updates as the best, necessary and required approach. The new tool is just conceived as a temporary measure for organizations to more quickly address the widespread Hafnium and related security threats.

Here's how it was expressed in the announcement:

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

Organizations with unpatched Exchange Servers should run the Exchange On-Premises Mitigation Tool as soon as possible. Microsoft also recommends running this tool if organizations "have already patched your systems and are protected, but did not investigate for any adversary activity, indicators of compromise, etc."

Mitigations
The Exchange On-Premises Mitigation Tool carries out the following steps:

• Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
• Scan the Exchange Server using the Microsoft Safety Scanner.
• Attempt to reverse any changes made by identified threats.

Microsoft is recommending the use of the Exchange On-Premises Mitigation Tool over the use of its earlier released ExchangeMitigations.ps1 script, explaining that the new tool offers "a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation." The older script applies mitigations for all four vulnerabilities, but it doesn't check for compromises or take action, plus it could affect Exchange functionality.

Requirements
Organizations will need to have PowerShell 3 or later versions installed and IIS 7.5 or later to use the new tool. The Exchange On-Premises Mitigation Tool needs to be run with administrator privileges, and it requires having an external Internet connection from an Exchange server, which is used to "download the Microsoft Safety Scanner and the IIS URL Rewrite Module."

If organizations don't have Exchange Server with an external Internet connection, then they can still use the older ExchangeMitigations.ps1 PowerShell script, Microsoft noted.

The new tool will run the Microsoft Safety Scanner, which has "Quick Scan" and "Full Scan" options. By default, it runs a Quick Scan. It can take "days or hours" for the Full Scan to complete, but Microsoft recommends using it "if you suspect any compromise." Moreover, Full Scan is required to remediate threats if organizations aren't using Microsoft Defender anti-virus.

The Exchange On-Premises Mitigation Tool will flag .ZIP files generally. It's because Webshells associated with the Exchange Server attacks are using those files for exfiltration purposes. IT pros will need to check if those .ZIP files are valid.

More Guidance
For organizations seeking more guidance, the U.S. Cybersecurity and Infrastructure Security Agency, which advises government agencies, recently published this compendium of articles. It includes descriptions of the China Chopper Webshells that are being used in the Exchange Server Hafnium attacks.

A sobering discussion by Microsoft Most Valuable Professionals (MVPs) on the gravity of Exchange Server attacks can be found in a Quest-sponsored talk, which is available on-demand here. During the talk, MVP Michael Horenbeeck suggested that organizations should be concerned even if they just use Exchange Server for managing hybrid environments, and even if the Exchange Server they use isn't connected to the Internet.