Microsoft has launched a one-click Trade On-premises Mitigation Instrument (EOMT) instrument to permit small enterprise house owners to simply mitigate the just lately disclosed ProxyLogon vulnerabilities.
This month, Microsoft disclosed that 4 zero-day vulnerabilities have been being actively utilized in attacks against Microsoft Exchange. These vulnerabilities are collectively often known as ProxyLogon and are being utilized by risk actors to drop web shells, cryptominers, and extra just lately, the DearCry ransomware on exploited servers.
Right now, Microsoft launched the EOMT one-click PowerShell script in order that small enterprise house owners who wouldn’t have devoted or safety groups can get additional assist securing their Microsoft Trade servers.
“Now we have been actively working with prospects by means of our buyer help groups, third-party hosters, and associate community to assist them safe their environments and reply to related threats from the recent Exchange Server on-premises attacks.”
“Based mostly on these engagements we realized that there was a necessity for a easy, simple to make use of, automated answer that might meet the wants of shoppers utilizing each present and out-of-support variations of on-premises Trade Server,” Microsoft explains in a blog post right now.
- Checks if the server is susceptible to the ProxyLogogon vulnerabilities.
- Mitigates the CVE-2021-26855 Server-Facet Request Forgery (SSRF) vulnerability by putting in the IIS URL Rewrite module and a daily expression rule that aborts any connections containing the ‘X-AnonResource-Backend’ and ‘X-BEResource’ cookie headers.
- Downloads and runs the Microsoft Security Scanner to remove known web shells and other malicious scripts put in through these vulnerabilities. The script will then take away any malicious information discovered.
Microsoft suggests admins and enterprise house owners run the Trade On-premises Mitigation Instrument (EOMT) instrument primarily based on the next circumstances:
|State of affairs||Steerage|
|When you have finished nothing to this point to patch or mitigate this concern…||Run EOMT.PS1 as quickly as attainable.This can each try and remediate in addition to mitigate your servers in opposition to additional assaults. As soon as full, comply with patching steerage to replace your servers on http://aka.ms/exchangevulns|
|When you have mitigated utilizing any/the entire mitigation steerage Microsoft has given (Exchangemitigations.Ps1, Weblog publish, and many others..)||Run EOMT.PS1 as quickly as attainable. This can each try and remediate in addition to mitigate your servers in opposition to additional assaults. As soon as full, comply with patching steerage to replace your servers on http://aka.ms/exchangevulns|
|When you have already patched your methods and are protected, however did NOT examine for any adversary exercise, indicators of compromise, and many others….||Run EOMT.PS1 as quickly as attainable. This can try and remediate any present compromise that won’t have been full remediated earlier than patching.|
|When you have already patched and investigated your methods for any indicators of compromise, and many others….||No motion is required|
After operating the EOMT script, customers can discover a log file at C:EOMTSummary.txt that gives data on the duties carried out by the instrument.
Along with operating EOMT, admins are suggested to run the Test-ProxyLogon.ps1 script to additionally verify for indicators of compromise (IOC) in Trade HttpProxy logs, Trade log information, and Home windows Software occasion logs.