Roughly 92% of all Internet-connected on-premises Microsoft Exchange servers affected by the ProxyLogon vulnerabilities are now patched and safe from attacks, Microsoft said on Monday.
A total of 400,000 Internet-connected Exchange servers were impacted by the ProxyLogon vulnerabilities when Microsoft issued the initial security patches, on March 2, with over 100,000 of them still unpatched one week later, on March 9.
Microsoft now says that there are now 43% fewer vulnerable on-premises Exchange servers are reachable over the Internet within a single week of concerted patching efforts worldwide.
From around 82,000 unpatched Exchange servers on March 14, according to Microsoft, there are now roughly 30,000 still exposed to attacks around the world according to RiskIQ data.
“Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates,” the Microsoft Security Response Center tweeted on Monday.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week. pic.twitter.com/YhgpnMdlOX
— Security Response (@msftsecresponse) March 22, 2021
Microsoft published additional sets of security updates after March 11, covering over 95% of all vulnerable versions exposed on the Internet and step-by-step guidance to help address these ongoing attacks.
The company also released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to enable small business owners to quickly mitigate the recently disclosed ProxyLogon vulnerabilities even without the help of a dedicated security team.
Additionally, Microsoft Defender Antivirus has been updated to automatically protect unpatched Exchange servers from ongoing attacks by automatically mitigating the actively exploited ProxyLogon bugs.
Abused to deploy ransomware and cryptominers
This month, Microsoft disclosed that four zero-days were actively being exploited in attacks against on-premises Microsoft Exchange servers.
These vulnerabilities are collectively known as ProxyLogon and are being exploited in indiscriminate attacks targeting organizations from multiple industry sectors worldwide, attempting to steal sensitive information.
Threat actors behind ProxyLogon attacker have been observed deploying web shells, cryptomining malware, and, more recently, DearCry and Black Kingdom ransomware payloads on compromised on-premises Exchange servers.
Since Microsoft disclosed the ongoing attacks, Slovak internet security firm ESET has also discovered at least ten APT groups targeting unpatched Exchange servers.
CISA officials said two weeks ago that, so far, there is no evidence of US federal civilian agencies compromised during these ongoing Exchange attacks.
The conclusion is based on data collected by federal agencies following an emergency directive issued by CISA days after the ProxyLogon security updates were released, one week ago.
CISA’s emergency directive ordered the agencies to urgently update or disconnect their on-premises Exchange servers and check their networks for indicators of compromise.