Microsoft recently released a patch for the “Hafnium” vulnerability that has been wreaking havoc on its Exchange mail and calendar servers. However, this fix was designed primarily for large organizations with IT departments that can handle the relatively complex deployment. Microsoft has now launched a “one-click” mitigation tool for smaller companies that is relatively easy to install.
After running the application, it will first mitigate current known attacks that exploit the flaw (CEV-2021-26855) using a URL rewrite setting. It will then scan your Exchange server using the Microsoft Safety Scanner and attempt to roll back any changes made by identified threats.
This tool should only be used as a temporary mitigation until your Exchange servers can be fully upgraded, as described in our previous guidance.
Microsoft notes that the patch will only work against attacks that it has seen so far and may not be effective against future hacks. He also said that it is not a replacement for previously released Exchange patches, “but it is the fastest and easiest way to mitigate the greatest risks for local Exchange servers connected to the Internet before applying the patch,” the company wrote. After running the patch, the entire organization must still take steps to completely update its Exchange servers, as detailed previously by the company.
The vulnerability exploited by the Chinese hacker group Hafnium has been a disaster for companies using Exchange servers, to say the least. In the United States, the group has infiltrated at least 30,000 organizations, including police departments, hospitals, local governments, banks, credit unions, nonprofits and telecommunications providers. Worldwide, the number of victims reaches hundreds of thousands.
Microsoft now suspects that Hafnium hackers may have obtained the information necessary to carry out the attack from private disclosures it made to some of its security partners, the WSJ reported. Investigators at the software giant apparently noticed that the second wave of Exchange attacks resembled a “proof of concept” attack code that Microsoft distributed to security partners on February 23. This group includes about 80 companies worldwide, 10 of which are based in China. Microsoft said it sent the code to a subset of that group, but declined to say whether any Chinese companies were included in the launch.