Microsoft has announced the release of an on-premises mitigation tool for Microsoft Exchange Server with a single click, which means that companies using Exchange services can install the updates released by the company "in a single click". In this way, IT administrators in enterprise environments can use the new security patches from the Redmond firm with a simple installation to all the entity's computers. It is not a final solution, but rather a way to mitigate the possible impact of this attack while applying the update with the patches.
It should be remembered that at the beginning of this month an attack on Microsoft Exchange Server was made public. According to reports, a group of hackers in China, Hafnium, was attacking servers in different countries of the world through this software of the Redmond brand. It affects Exchange Server between its versions 2013 to 2019.
Serves to mitigate the risk of exploits until patches arrive
Already at that time, the company presented security patches to correct the problem, but the attack was able to continue acting. The new tool, says ZDnet, is designed to mitigate the threat posed by four actively exploited vulnerabilities. The Redmond Company estimates that at least 82,000 servers remain unpatched and vulnerable to attack.
The company published previously a script on GitHub that administrators could run to see if their servers contained indicators of compromise (IOC) linked to vulnerabilities. However, after discussing the situation with customers and partners, Microsoft said that a simple and automated solution was needed for customers using both current and out-of-support versions of Exchange Server on-premises. The mitigation tool Microsoft Exchange On-Premises has been tested on Exchange Server 2013, 2016 and 2019.
It is important to note that the tool is not an alternative to patching, but should be considered a means of mitigating the risk of exploits until the update is applied, which should be done as soon as possible. "This tool is not a substitute for the Exchange security update, it is the fastest and easiest way to mitigate the greatest risks to Internet-connected on-premises Exchange servers before patching," says Microsoft.
An attack in early March that continues to cause problems
At the beginning of this month, the company had warned that Chinese hackers exploited a flaw in its Exchange Server messaging system, intended for companies, to be able to access their emails, contact lists and that could also install malware.
According to information provided by Microsoft, Hafnium mainly targets entities in the United States (but also in other countries) in order to access information from various industrial sectors, such as infectious disease researchers, law firms, higher education institutions, contractors. advocacy, political think tanks and NGOs. Although Hafnium is based in China, carries out its operations mainly from virtual private servers (VPS) rented in the United States.
The attacks include three steps. First, access an Exchange server with stolen passwords or using previously undiscovered vulnerabilities to disguise yourself as someone who should have access. Second, create what is called a web shell to control the compromised server remotely. Third, it would use that remote access, executed from private servers based in the United States, to steal data from an organization's network.