We've been tracking various US-CERT and CISA alerts for years, and this is some of the most urgent language we've seen used.
The Cybersecurity and Infrastructure Security Agency issued a special bulletin on the evening of March 8, titled, CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities.
It then goes on to say the following:
"As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises organizations follow the guidance laid out in the web page. The guidance provides specific steps for both leaders and IT security staff and is applicable for all sizes of organizations across all sectors."
In other words, these vulnerabilities sound as ubiquitous as Microsoft Exchange itself.
CISA is now delivering advice on remediating the vulnerabilities, with part of the message specifically crafted for business and security leaders and another section crafted for security teams.
Let's take a look at both of these.
Remediating Exchange vulnerabilities: CISA message to leaders
This part of the CISA alert is concise and clear, and explains the "why" behind concern over this cyberattack scenario. And again, listen for the urgency in this message.
"An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:
- What steps your organization has taken;
- Whether your organization has the technical capability to follow the guidance provided below; and
- If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.
Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed."
Remediation for Exchange vulnerabilities: message to security teams
The CISA wording to security teams is also urgent and includes mitigation steps for cybersecurity professionals.
As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises all system owners complete the following steps:
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
And CISA added a special note at the end of this alert:
"Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment."
Timeline for Microsoft Exchange 2021 vulnerabilities
It's amazing to think how quickly bulletins, updates, and patches have emerged around this collection of 2021 Microsoft Exchange vulnerabilities. Here is the timeline so far:
- March 2: Microsoft Issues "out of band" security updates
- March 3: CISA issues Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- March 6: Microsoft details alternative mitigation techniques
- March 8: CISA issues call for all organizations, across all verticals, to immediately remediate the Exchange vulnerabilities.
- March 9: The FBI gets into the public comment game, issuing the following statement on the Microsoft Exchange vulnerabilities:
"The FBI is aware of Microsoft's emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the APT actor known by Microsoft as HAFNIUM. The FBI is working closely with our interagency and private sector partners to understand the scope of the threat. Network owners should immediately patch their systems.
Help us respond to victims and hold those responsible accountable. If your Exchange Server from Microsoft has been compromised, please contact your local FBI field office."
This likely speaks to the serious and widespread nature of these particular vulnerabilities. We'll let you know when there is more news to share.