Microsoft reports that around 92 percent of all Microsoft Exchange Servers are now updated and protected against the ProxyLogon vulnerability that has plagued the service—and security research and response teams—for weeks.
The figure of unpatched Microsoft Exchange Servers stands at around 30,000, down from a high of around 400,000.
Huge Reduction in Vulnerable Microsoft Exchange Servers
An exact total number of vulnerable Microsoft Exchange Servers isn’t known.
However, on March 2, when Microsoft released its first set of security patches, around 400,000 Exchange Servers were vulnerable to the ProxyLogon vulnerability. One week after the security patches were launched and implemented, on March 9, that figure had dropped to around 100,000 unpatched servers.
Now, Microsoft’s latest report indicates that there are under 30,000 vulnerable Exchange Servers remaining.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week. pic.twitter.com/YhgpnMdlOX— Security Response (@msftsecresponse) March 22, 2021
Since that tweet, it’s likely the number has decreased further.
Microsoft has taken substantial steps towards protecting the vulnerable Microsoft Exchange Servers in the face of the prolonged ProxyLogon vulnerability. For example, the Exchange On-Premises Mitigation Tool (EOMT) is a one-click ProxyLogon patching tool that makes it easier for Microsoft Exchange Server customers to rapidly secure their infrastructure.
Microsoft has also added an automatic patching tool Microsoft Defender. According to a post on the official Microsoft Security blog, customers using Microsoft Defender Antivirus and System Center Endpoint Protection will “automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed.”
Is This the End of ProxyLogon?
ProxyLogon has been a serious issue for Microsoft’s Exchange Server customers. The attack has affected tens of thousands of servers, covering businesses of all shapes and sizes.
The ProxyLogon vulnerability strung together four zero-day exploits to attack Microsoft Exchange Servers. After the disclosure of the vulnerability, multiple industries around the world reported a surge in attacks, with Microsoft Exchange Server customers reporting cryptocurrency mining malware, various types of ransomware, web shells, and more all being deployed by malicious parties.
An ESET Research blog post found that Microsoft Exchange Servers were under attack from “at least 10 APT [Advanced Persistent Threat] groups,” all of whom were seeking to capitalize on the vulnerability.
We noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso, and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.
The ProxyLogon vulnerability isn’t quite over. There are still more than 20,000 vulnerable Microsoft Exchange Servers, but customers and security firms alike will hope that the end is in sight.