The Department of Homeland Security’s cybersecurity unit has ordered federal agencies to urgently update or disconnect Microsoft Exchange on-premises products on their networks.
The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 21-02 Wednesday after Microsoft patched four zero-day Exchange bugs in emergency out-of-band security updates and shared info on active exploitation in the wild.
“Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network,” CISA said.
CISA “strongly” recommended federal agencies to examine their networks to detect malicious activity related to zero-day attacks targeting Exchange servers.
“If no indications of compromise have been found, agencies must immediately apply Microsoft patches for Microsoft Exchange servers and proceed to Action 5,” CISA added.
Agencies that identify indications of compromise should “immediately disconnect Microsoft Exchange on-premises servers” and “await guidance before rebuilding from trusted sources utilizing the latest version of the product available.”
CISA asked the agencies to immediately report incidents if any of the following criteria are met:
Identification of indicators of compromise as outlined in CISA Activity Alert.
Presence of web shellcode on a compromised Microsoft Exchange on-premises server.
Unauthorized access to or use of accounts.
Evidence of lateral movement by malicious actors with access to compromised systems.
Other indicators of unauthorized access or compromise.
Other indicators related to this issue to be shared by CISA in the Activity Alert.
We encourage all organizations to read our directive and take appropriate steps to protect their networks: https://t.co/UbVEmDAE76 (2/2) #InfoSec #NetworkSecurity — Cybersecurity and Infrastructure Security Agency (@CISAgov) March 3, 2021
Earlier this week, Microsoft and multiple cybersecurity firms disclosed ongoing attacks coordinated by several Chinese-backed hacking groups.
The attacks target US organizations from multiple industry sectors and are attempting to exploit Internet-exposed on-premises Exchange servers to steal sensitive information.
Slovak internet security firm ESET identified three state-sponsored threat actors: the Chinese-backed APT27, Bronze Butler (aka Tick), and Calypso.
The company added that it also detected several other APT groups it wasn’t able to identify.
Microsoft identified a fourth Chinese-backed group named Hafnium observed while attacking US orgs’ on-premises Exchange servers.
Active exploitation of these Microsoft Exchange zero-days began “as early as January 6, 2021,” as incident response firm Volexity revealed.
Microsoft is also urging administrators to “install these updates immediately” to defend vulnerable Exchange servers from ongoing attacks.