Exchange Server Hafnium Mitigations Available via Microsoft Defender Antivirus
Microsoft on Thursday clarified that organizations running Exchange Server can get automatic security mitigations against Hafnium attacks via Microsoft Defender Antivirus.
The mitigations enabled by Microsoft Defender Antivirus are designed to reverse any changes made by attackers. So-called "Hafnium" nation-state attackers have been exploiting four zero-day vulnerabilities in the Exchange Server product, ostensibly for espionage purposes. The attackers have used these Exchange Server flaws to install Webshells to enable persistence across networks.
Microsoft issued patches for the four zero-day Exchange Server vulnerabilities back on March 2. However, those patches just fix the vulnerabilities in as-yet-unattacked systems. As an assurance, organization are advised to check for indicators of compromise associated with the attacks, even if they've patched their Exchange Server systems.
Microsoft has provided some tools to that end, as recently described this week. Just one of those forensic tools, the Exchange On-Premises Mitigation Tool, will automatically attempt to reverse changes made by an attacker.
However, if organizations are using Microsoft Defender Antivirus with the latest security intelligence update installed, namely "build 1.333.747.0 or newer," then they'll get automatic mitigation of changes associated with the CVE-2021-26855 vulnerability. The Microsoft Update Guide described CVE-2021-26855 as "the initial attack in this attack chain" that targets Exchange Server implementations.
The mitigation enabled by Microsoft Defender Antivirus is just deemed to be a temporary measure. Microsoft advises IT pros to apply its latest Exchange Server cumulative updates and security patches.
A "security intelligence update" apparently is an enhancement to the security intelligence of the Microsoft Defender Antivirus product, per this Microsoft description.
The mitigation enabled by Microsoft Defender Antivirus will occur without any IT pro actions if the product has "automatic definition updates enabled." Enabled is the product's default setting.
For organization that don't use Microsoft Defender Antivirus but want automatic mitigation applied to Exchange Server, Microsoft is recommending the use of the Microsoft Exchange On-Premises Mitigation Tool.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.