To remediate the recent Exchange server vulnerabilities, Microsoft has released a new mitigation tool to assist organizations in their efforts to help stop the ongoing exploitation against vulnerable Exchange servers. The Exchange On-premises Mitigation Tool (EOMT) contains all of the mitigations to prevent exploitation of CVE-2021-26855 and fulfill all the dependencies necessary to protect Exchange before patching. The script will also attempt to remediate compromised devices by removing any lingering web shells. Microsoft recommends that IT administrators who have not yet patched use this script over the previous ExchangeMitigations.ps1 script as EOMT automates the process, so long there is an active Internet connection to download the dependencies.
Analyst Notes
With all of Microsoft’s current mitigations, it is highly recommended that all organizations dealing with the ongoing vulnerabilities implement these mitigations and apply patches as soon as possible. With current POCs making exploitation easy for any criminal actors, and the ongoing incidents with the newly discovered DearCry ransomware, the urgency to apply mitigations and patches is all the more critical. Making use of other tools such as the http-vuln-cve2021-26855.nse Nmap script will enable organizations to scan their external IP block to search for any vulnerable devices still externally exposed.
References:
https://github.com/microsoft/CSS-Exchange/tree/main/Security – exchange-on-premises-mitigation-tool-eomt
https://therecord.media/microsoft-shares-one-click-mitigation-tool-for-exchange-servers/
