ARN

Microsoft Defender bakes in automatic on-premises Exchange Server mitigation

Included in the latest security intelligence update — build 1.333.747.0 or newer.

Microsoft has updated Microsoft Defender Antivirus and System Centre Endpoint Protection to automatically mitigate against CVE-2021-26855 on vulnerable Exchange servers. 

According to the tech giant, the mitigation is applied by Microsoft Defender Antivirus with it automatically identifying vulnerable versions of Exchange Server the first time the security intelligence update is deployed, occurring once per machine. 

The mitigation is included in the latest security intelligence update — build 1.333.747.0 or newer — which needs to be installed manually if automatic updates are turned off. 

The inclusion of the vulnerability mitigation however is not the definitive protection against the attack chain, which includes CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, instead being designed as a stopgap for users while they implement the latest Exchange security updates. 

The attack chain was first flagged by Microsoft in early March, when it identified the China-based state-sponsored actor Hafnium as the primary group behind the exploits at the time. 

The chain of exploits broadly starts with an actor gaining access to an Exchange server, either with stolen passwords or through vulnerabilities, to appear as someone with appropriate access.  

The actor then creates a web shell to control the compromised server remotely. It then uses that access, through US-based private servers, to steal data. If users don’t have Microsoft Defender Antivirus, the tech giant recommended the Exchange On-Premises Mitigation Tool, or EOMT, which it released last week on GitHub

The EOMT script works by using a URL Rewrite configuration to mitigate against known attacks using CVE-2021-26855. It then scans the Exchange Server with Microsoft Safety Scanner and attempts to reverse changes made by identified threats.