SecureWorld News

CISA: 36-Hour Countdown to 'Patch or Disconnect'

Written by Drew Todd | Wed | Apr 14, 2021 | 8:49 PM Z

There is urgent fallout happening right now related to the recently discovered Zero-Days with Microsoft Exchange servers—vulnerabilities that are being exploited by Hafnium, believed to be a Chinese nation-state hacking operation.

U.S. government issues emergency directive on Exchange servers

In this latest action, the U.S. Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency (CISA) started a timeclock for federal agencies to take action, and as of publication, we're down to about 36 hours:

"On April 13, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021—the security updates released in March 2021 will not remediate against these vulnerabilities.

Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity.

Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.

CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.

Applying the update released on April 13 to Exchange servers is currently the only mitigation for these vulnerabilities (aside from removing affected servers from the network). CISA requires that agencies immediately apply the Microsoft April 2021 update to all affected Exchange Servers."

Required actions for U.S. government agencies

DHS lists four required actions for organizations to take who are currently running Microsoft Exchange servers.

  1. "Deploy Microsoft Updates. Before 12:01 am Friday, April 16, 2021, Eastern Daylight Time, agencies with on-premises Microsoft Exchange servers must deploy Microsoft updates from Tuesday, April 13, 2021, to all affected Microsoft Exchange servers. Microsoft Exchange Servers that cannot be updated within the deadline above must be immediately removed from agency networks."

  2. "Apply/Maintain Controls. Ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are updated before connecting to agency networks."

  3. "Report Completion. For agencies managing on-premises Microsoft Exchange servers, department-level Chief Information Officers (CIOs) or equivalents shall submit a report to CISA using the provided template to CyberDirectives@cisa.dhs.gov by Noon Eastern Daylight Time on Friday, April 16, 2021."

  4. "Report Indications of Compromise. Immediately report any identified cyber incidents and related indications of compromise detected while conducting update activities through https://us-cert.cisa.gov/report."

The Hafnium data breach is related to that nation-state attacker's use of Zero-Day vulnerabilities, which were unknown to defenders until after the attack was underway for several months.

[RELATED: Emergency Directive: New Attacks Against Exchange Servers]