CISA Orders Agencies to Recheck for Exchange CompromisesRequires Rescanning of Networks, Hardening of Infrastructure
The Cybersecurity and Infrastructure Security Agency is ordering federal executive branch agencies to rescan and recheck their networks by Monday for any signs of compromise related to unpatched vulnerabilities in on-premises Microsoft Exchange email servers.
In addition, the agencies have until June 28 to implement CISA's recommended steps to harden their infrastructure against attacks.
Exchange Server Flaws
Microsoft patched the four vulnerabilities in the on-premises version of Exchange Server on March 2. Around that time, RiskIQ estimated that about 400,000 on-premises Exchange servers were vulnerable. Microsoft reported that as of March 26, more than 92%, or around 368,000, had been patched or mitigated (see: Check Point: 50,000 Attempted Ransomware Attacks Target Exchange).
Attackers started aggressively targeting vulnerable Exchange servers around Feb. 26, researchers report. Microsoft attributed the initial activity to a suspected China-based group dubbed Hafnium, but other security companies report that as many as a half-dozen groups attacked Exchange servers prior to the patching.
"CISA is directing additional actions to identify compromises that may remain undetected," the agency states. "Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening."
So far, no federal agencies have reported a compromise related to exploits of the unpatched Exchange flaws. But Frank Downs, a former National Security Agency offensive threat analyst, says CISA apparently believes that unpatched systems still pose a significant risk to federal networks.
"By ensuring that all Exchange servers are addressed so rapidly, CISA is suggesting that unmitigated vulnerabilities pose a very severe risk," says Downs, who is now a director at the security firm BlueVoyant.
Tim Wade, a former network and security technical manager with the U.S. Air Force who is now a technical director at the security firm Vectra AI, adds: "Given the importance of email for modern business, these directives indicate that there are organizations who may be implicitly instructed to stand down from the full execution of their primary function unless and until remediation occurs."
Call to Action
CISA is requiring federal agencies that use on-premises Exchange servers to conduct two exercises by noon Monday.
The agencies must run Microsoft's Safety Scanner tool, also known as MSERT, in full scan mode and report those results to CISA. This tool, which was released last month, can detect web shells used during attacks that target the ProxyLogon flaw in Exchange (see: Microsoft Issues Mitigation Tool for an Exchange Server Flaw).
CISA is also ordering federal agencies to run this same scan every week for four weeks to check for additional compromises.
In addition to mandating MSERT sans, CISA is requiring that agencies run a script called Test-ProxyLogon.ps1 to check both Exchange and Internet Information Services, or ISS, logs for any malicious activity related to these attacks.
"If attacker activity is identified, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory," CISA notes.
After those tasks are complete and the results are returned, CISA is requiring that federal agencies take additional steps to harden networks and infrastructure by June 28.
These steps include provisioning a firewall between Exchange servers and the internet to block certain access as well as installing all software and security updates from Microsoft within 48 hours of release.
CISA is also ordering agencies to review Active Directory to check which employees have administrative or remote access within specific Exchange deployments as well as apply the principles of least privilege to reduce the possibility that attackers can steal credentials and move laterally.
"Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors," CISA warns.