Microsoft recently released a patch for the "Hafnium" vulnerability that has been wreaking havoc across its Exchange email and calendar servers. However, that fix is designed mostly for large organizations with IT departments that can handle the relatively complex deployment. Now, Microsoft has released a "one-click" mitigation tool for smaller companies that's relatively easy to install.
One you run the application, it will first mitigate against current known attacks that exploit the flaw (CEV-2021-26855) using an URL rewrite configuration. It will then scan your Exchange server using the Microsoft Safety Scanner and attempt to reverse any changes made by identified threats.
This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
Microsoft notes that the patch will only work against attacks that it has seen so far and may not be effective against future hacks. It also said that it's not a replacement for the previously released Exchange patches "but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange servers prior to patching," the company wrote. After running the patch, all organization should still take steps to fully update their Exchange servers as the company previously detailed.
The vulnerability exploited by the Chinese Hafnium hacking group has been a disaster for companies using Exchange servers, to say the least. In the US, the group infiltrated at least 30,000 organizations including police departments, hospitals, local governments, banks, credit unions, non-profits and telecommunications providers. Worldwide, the number of victims is reportedly in the hundreds of thousands.
Microsoft now reportedly suspects that the Hafnium hackers may have obtained the information necessary to carry out the attack from private disclosures it made to some of its security partners, the WSJ has reported. Investigators from the software giant apparently noticed that the second wave of the Exchange attack resembled "proof of concept" attack code that Microsoft distributed to security partners on February 23rd. That group includes about 80 companies worldwide, 10 of which are based in China. Microsoft said it sent the code to a subset of that group, but declined to say if any Chinese companies were included in the release.