ProxyLogon is known as a major vulnerability affecting Microsoft Exchange Server. It was registered as CVE-2021-26855 and has been exploited in recent times. All users using unpatched Windows servers could be victims of this problem and put security at risk. However now, thanks to the latest addition to Windows Defender , they no longer have to fear this flaw even without patching.
Windows Defender adds automatic mitigation against ProxyLogon
Windows Defender antivirus is undoubtedly a fundamental tool that all users of this popular operating system should keep in mind. It helps us protect the team from external threats and is also responsible for mitigating possible vulnerabilities that may exist. Here’s what they’ve done against the ProxyLogon threat .
From Microsoft they indicate that it is a provisional mitigation. They ensure that the Exchange security update remains the most comprehensive way to protect servers from these attacks and similar ones that were fixed in previous versions. However, this interim mitigation is designed to help protect users who have not yet deployed the appropriate updates.
This is Microsoft Defender’s automatic protection against active attacks targeting unpatched Exchange servers and works by breaking the chain of attacks. Automatically mitigates CVE-2021-26855 through a URL rewrite configuration and scans servers for changes made by previous attacks, automatically reverting them.
They also indicate that both Microsoft Defender Antivirus and System Center Endpoint Protection will mitigate this failure automatically on any vulnerable Exchange server.
Note that Microsoft has released ProxyLogon security updates for Microsoft Exchange Server 2019, 2016, and 2013, as well as a step-by-step guide to help address these attacks. However, as we have indicated, there are still many users who have not updated correctly and from now on they will be protected automatically.
Attacks against Exchange servers
In recent weeks we have seen numerous attacks targeting Exchange servers that have affected many organizations. These vulnerabilities are known as ProxyLogon and are used to deploy web shells, cryptocurrency mining, and most recently DearCry ransomware payloads on compromised local Exchange servers.
As indicated by Palo Alto Networks, there are more than 125,000 Exchange servers that today are still vulnerable and have not been patched correctly. This makes all of them a target for hackers to carry out attacks.
From this article, as we always indicate, we recommend keeping the systems updated correctly. Always having the latest security versions and all the patches installed can help keep our computers safe at all times. It is a mistake to have any operating system, application or device out of date. Additionally, improving security in Windows Defender has proven to be essential as well.
In this case we have seen a problem that affects Windows servers. However, there are many more vulnerabilities that are present in the network and that affect all types of systems and devices. We must always have all the updates available.