Microsoft developers have released a tool called EOMT (Exchange On-premises Mitigation Tool) designed to install updates on Microsoft Exchange servers and one-click ProxyLogon vulnerabilities fix.The utility is already available for download on the company’s GitHub.
In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers dubbed ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
Experts from Palo Alto Networks and Microsoft estimate that there are still about 80,000 vulnerable Exchange servers available on the network that could be compromised.
Currently, attacks on vulnerable servers are carried out by about 10 hack groups, deploying web shells, miners and ransomware on the servers.
First of all, EOMT is intended for companies without their own IT specialists who could understand the ProxyLogon problem and correctly install the necessary updates.
The fact is that there can be problems installing patches too. For example, it was previously reported that updates for Microsoft Exchange can be installed without many necessary patches if UAC is enabled. As a result, you need to install updates only on behalf of the administrator.
Microsoft now hopes that anyone in the company can handle the EOMT download and update by simply clicking on EOMT.ps1. The script will install the URL Rewrite configuration on the server, which will be enough to fix the CVE-2021-26855 bug, which is the starting point for the exploit chain, known collectively as ProxyLogon.
The tool also includes a copy of Microsoft Safety Scanner, which will scan Exchange servers for known web shells that were previously seen attacking ProxyLogon. If necessary, Microsoft Safety Scanner will remove the backdoor and block access to cybercriminals.
Let me also remind you that recently Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange, though after a while GitHub removed ProxyLogon exploit and has been criticized.