Microsoft has rolled out a security update for Defender Antivirus to mitigate the CVE-2021-28655 Exchange Server vulnerability via a URL Rewrite configuration. The antivirus will also scan the server and reverse changes made by any known threats.
The Redmond company has rolled out multiple security patches after it was discovered that bad actors are using four zero-day exploits in Exchange Server to carry out ransomware attacks. The security exploits affect Microsoft Exchange Server 2013, 2016, and 2019.
Microsoft Defender Will Mitigate Exchange Server Exploits
Among the four zero-day vulnerabilities, the one that Microsoft is patching (CVE-2021-28655) is the most serious since it acts as an entry point for the other three exploits. Microsoft says that the Defender Antivirus will automatically assess if an Exchange Server is vulnerable to the exploits and will apply the fix if needed.
However, Microsoft also notes in a post on its security blog that this interim mitigation is a temporary solution while businesses and enterprise worldwide take their time to install the latest Exchange Cumulative update as only that will completely address the vulnerabilities.
The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.
If you have Microsoft Defender installed on your Exchange Server with automatic definition updates enabled, the mitigation will be automatically applied. If your organization manages Microsoft Defender’s definition updates, they need to ensure the new detection build (1.333.747.0 or newer) is deployed to the Exchange Server.
In case you do not use Microsoft Defender, you can use the single-click mitigation tool that Microsoft released for Exchange Servers to protect against the ProxyLogon vulnerability affecting tens of thousands of its customers.
Microsoft Exchange Servers Worldwide Are Being Subjected to Ransomware Attacks
Ever since the Hafnium hacking group first exploited the ProxyLogon vulnerability, Microsoft Exchange servers worldwide have been the subject of ransomware attacks. The issue is so serious that Homeland Security has declared the Microsoft Exchange attack an “emergency”.
The Hafnium group combined the four zero-day vulnerabilities into an attack vector. It allows the attacker to target a server with crypto mining malware, web shells, and even the DearCry ransomware.
Acer has also been hit by a $50 million ransomware attack from the REvil ransomware group, which used the same Exchange Server exploits.