Exchange Server Hafnium Mitigations Available via Microsoft Defender Antivirus -- Redmondmag.com

Exchange Server Hafnium Mitigations Available via Microsoft Defender Antivirus

By Kurt Mackie
03/19/2021

Microsoft on Thursday clarified that organizations running Exchange Server can get automatic security mitigations against Hafnium attacks via Microsoft Defender Antivirus.

The mitigations enabled by Microsoft Defender Antivirus are designed to reverse any changes made by attackers. So-called "Hafnium" nation-state attackers have been exploiting four zero-day vulnerabilities in the Exchange Server product, ostensibly for espionage purposes. The attackers have used these Exchange Server flaws to install Webshells to enable persistence across networks.

Microsoft issued patches for the four zero-day Exchange Server vulnerabilities back on March 2. However, those patches just fix the vulnerabilities in as-yet-unattacked systems. As an assurance, organization are advised to check for indicators of compromise associated with the attacks, even if they've patched their Exchange Server systems.

Microsoft has provided some tools to that end, as recently described this week. Just one of those forensic tools, the Exchange On-Premises Mitigation Tool, will automatically attempt to reverse changes made by an attacker.

However, if organizations are using Microsoft Defender Antivirus with the latest security intelligence update installed, namely "build 1.333.747.0 or newer," then they'll get automatic mitigation of changes associated with the CVE-2021-26855 vulnerability. The Microsoft Update Guide described CVE-2021-26855 as "the initial attack in this attack chain" that targets Exchange Server implementations.

The mitigation enabled by Microsoft Defender Antivirus is just deemed to be a temporary measure. Microsoft advises IT pros to apply its latest Exchange Server cumulative updates and security patches.

A "security intelligence update" apparently is an enhancement to the security intelligence of the Microsoft Defender Antivirus product, per this Microsoft description.

The mitigation enabled by Microsoft Defender Antivirus will occur without any IT pro actions if the product has "automatic definition updates enabled." Enabled is the product's default setting.

For organization that don't use Microsoft Defender Antivirus but want automatic mitigation applied to Exchange Server, Microsoft is recommending the use of the Microsoft Exchange On-Premises Mitigation Tool.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.
Microsoft Claims Breakthrough in Quantum Computing Reliability

A new paper details Microsoft's recent progress in quantum computing -- specifically, its development of a system that is both significantly less prone to errors and better at correcting them.