Microsoft Introduces One-Click ProxyLogon Fix Tool

Microsoft Introduces One Click Proxylogon Fix Tool Hacker.png

Microsoft Introduces One-Click ProxyLogon Fix Tool

Microsoft developers have released a tool called EOMT (Exchange On-premises Mitigation Tool) designed to install updates on Microsoft Exchange servers in one click and protect against ProxyLogon vulnerabilities. The utility is already available for download at GitHub of the company.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers shared the name ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

By calculations Experts from Palo Alto Networks and Microsoft, there are still about 80,000 vulnerable Exchange servers available on the network that could be compromised.

Currently, attacks on vulnerable servers are carried out by about 10 hack groups, deploying web shells, miners and ransomware on the servers.

First of all, EOMT is intended for companies without their own IT specialists who could understand the ProxyLogon problem and correctly install the necessary updates. The fact is that there can be problems with installing patches too. For example, earlier reported that updates for Microsoft Exchange can be installed without as many necessary patches if UAC is enabled. As a result, you need to install updates only on behalf of the administrator.

Microsoft now hopes that anyone in the company can handle the EOMT download and update by simply clicking on EOMT.ps1… The script will install the URL Rewrite configuration on the server, which will be enough to fix the CVE-2021-26855 bug, which is the starting point for the exploit chain, known collectively as ProxyLogon.

Also the tool includes a copy Microsoft Safety Scanner, which will scan Exchange servers for known web shells that were previously seen in attacks against ProxyLogon. If necessary, Microsoft Safety Scanner will remove the backdoor and block access by cybercriminals.