Brian Jackson - Fotolia

Microsoft releases tools as Exchange Server attacks increase

Microsoft said it's seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks.

Microsoft developed new threat detection tools for attacks connected with last week's Exchange Server zero-day vulnerabilities, as the number of affected organizations has increased.

The technology giant released two threat detection tools in recent days for on-premises Exchange Server customers potentially impacted by exploits caused by a number of zero-days disclosed last week. Following the initial disclosure in which Microsoft referred to attacks as "limited and targeted," multiple news outlets over the weekend reported the number of impacted organizations in the tens of thousands.

One tool is a script, Test-ProxyLogon.ps1, that scans for indicators of compromise (IOC) in relevant zero-days. ProxyLogon refers to CVE-2021-26855, a server-side request forgery vulnerability disclosed on March 2 as one of four Exchange Server zero-days. While the name refers to just one zero-day vulnerability, it is closely related to and can work in conjunction with the other disclosed vulnerabilities.

The other tool scans for web shells, which are scripts that grant threat actors remote access and, in some cases, complete control of a compromised server. The Microsoft Security Resource Center blog post covering the tool and a list of mitigations related to the attack said that "These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack."

Both tools were most recently updated over the weekend, and Microsoft strongly recommended that all on-premises Exchange Server customers install the latest security updates.

Since Friday, news outlets reported different figures regarding the number of organizations impacted by the zero-days being exploited. Reuters cited an anonymous source who put the initial estimate at more than 20,000 organizations, while KrebsOnSecurity reported that several anonymous sources placed the number much higher -- at least 30,000 organizations in the U.S. alone.

Microsoft's only recent public reference to the potential number of victims came in a Friday update to its initial blog post discussing zero-days being exploited by the Chinese state-sponsored group Hafnium, which said that "Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM."

Microsoft declined to respond directly to SearchSecurity's request for an estimated victim count, but a spokesperson provided the following comment.

"We are working closely with the CISA, other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers," the spokesperson said. "The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources."

The attacks against Microsoft Exchange Server have followed a similar trajectory to the now-infamous SolarWinds attacks, nation-state attacks initially believed to be smaller in scale before the scope of victims got significantly larger.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security