Credit: Dream
Microsoft has updated Microsoft Defender Antivirus and System Endpoint Protection to automatically mitigate against CVE-2021-26855 on vulnerable exchange servers.
According to the tech giant, the discount is implemented by Microsoft Defender Antivirus by automatically identifying vulnerable versions of Exchange Server the first time the security information update is applied, occurring one once each machine.
The discount is included in the latest security information update – build 1.333.747.0 or later – which needs to be applied manually if automatic updates are turned off.
The introduction of the vulnerable mitigation, however, does not provide the definitive protection against the offensive chain, which includes CVE-2021-26858, CVE-2021-26857, and CVE-2021- 27065, instead designed as a stopgap for users while implementing the latest exchange security updates.
The offensive chain was first unveiled by Microsoft in early March, when it identified China – based actor Hafnium as the main body behind the campaigns at the time.
The series of tricks generally begins with an actor accessing an exchange server, either with stolen passwords or through vulnerabilities, to appear as someone with appropriate access.
The actor then creates a web shell to remotely control the compromised server. It then uses that access, through US-based private servers, to steal data. If users don’t have Microsoft Defender Antivirus, the tech giant recommended the Exchange On-Premises Mitigation Tool, or EOMT, which it released last week on GitHub.
The EOMT script works by using Rewrite URL configuration to mitigate against known attacks using CVE-2021-26855. It then scans the Exchange Server with Microsoft Safety Scanner and tries to reverse changes made by known threats.
Microsoft Tags