Microsoft has added a new feature to Exchange Server that will automatically take action to remediate high-risk vulnerabilities (most likely already exploited by hackers).This should protect Exchange servers from attacks and give administrators more time to install full-fledged patches when Microsoft releases them. The fact is that zero-day vulnerabilities in Microsoft Exchange have recently been regularly exploited by “government hackers”, as well as by groups pursuing financial gain.
For example, I recently wrote about US and UK accused China for attacks on Microsoft Exchange servers. Moreover, Sophos experts have discovered the Epsilon Red ransomware that exploits vulnerabilities in Microsoft Exchange servers to attack other machines on the network.
The new functionality is called Microsoft Exchange Emergency Mitigation (EM) and is based on the Exchange On-premises Mitigation Tool (EOMT), released in March this year to help identify and fix ProxyLogon problems.
EM runs as a Windows service on Exchange Mailbox servers and will be automatically installed on Exchange Server 2016 and Exchange Server 2019 mailbox servers after the September 2021 cumulative update (or newer) is deployed. Administrators can disable EM if they don’t want Microsoft to automatically apply security measures to their servers.
The new functionality will detect Exchange servers that are vulnerable to one or more known issues and automatically apply temporary mitigation measures to them (until administrators can apply full patches).
So far EM offers three types of protection:
- A custom rule blocks certain patterns of malicious HTTP requests that could compromise the Exchange server.
- disabling the vulnerable service on the Exchange server;
- disabling the vulnerable application pool on the Exchange server.
Let me also remind you that I talked about the fact that Hackers attack Microsoft Exchange servers on behalf of Brian Krebs.