CISA Orders Immediate Action on Vulnerabilities in Microsoft Exchange Servers

Federal agencies must track and capture data related to all on-premises Microsoft Exchange Servers and investigate whether they’ve been compromised or immediately disconnect such instances from their networks, the Cybersecurity and Infrastructure Security Agency ordered.

“CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products,” reads an emergency directive the agency issued Wednesday. “Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.”

Microsoft flagged the vulnerabilities Tuesday and attributed their exploitation to a threat actor it called HAFNIUM, which it believes is a state-sponsored group operating out of China. 

“After identifying all instances of on-premises Microsoft Exchange Servers in the environment, agencies that have the expertise shall forensically triage artifacts using collection tools (see CISA’s Activity Alert for examples) to collect system memory, system web logs, windows event logs, and all registry hives,” reads the first step in the directive. “Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities as described in the Activity Alert.”

If agencies find indicators of compromise or if they are not able to do the forensic analysis, they must “immediately disconnect Microsoft Exchange on-premises servers” and report incidents to CISA, the directive said. 

If agencies don’t find any indicators of compromise, they must immediately install Microsoft’s patches for the vulnerabilities.

All agencies, whether or not they see indicators of compromise, must report their status to CISA by noon on Friday, March 5.

CISA said it will assist agencies without internal capabilities and provide additional guidance on request—at CyberDirectives@cisa.dhs.gov—and through its website, in addition to an emergency directive coordination call.

By April 5, 2021, CISA will report cross-agency status and any outstanding issues to the Secretary of Homeland Security and the Director of the Office of Management and Budget, according to the directive.

Agencies are still dealing with clean-up efforts after the massive hack that compromised a SolarWinds network management product and leveraged a weakness in Microsoft’s Active Directory Federation Service and the credential dumping tactic.