CISA Orders Federal Agencies to Patch Exchange Servers

firestarter malware

Espionage attacks exploiting the just-patched remote code-execution security bugs in Microsoft Exchange servers are quickly spreading.

Hot on the heels of Microsoft’s announcement about active cyber-espionage campaigns that are exploiting four serious security vulnerabilities in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.

The news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have “persistent system access and control of an enterprise network.”

“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” reads the March 3 alert. “This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.”

Rapidly Spreading Exchange Server Attacks

Earlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release out-of-band patches.

The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.

The attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said – but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.

Researchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.

“The team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,” a spokesperson at Huntress told Threatpost.

Meanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.

“Among them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,” it tweeted, adding that while most attacks are against targets in the U.S., “we’ve seen attacks against servers in Europe, Asia and the Middle East.”

The vulnerabilities only exist in on-premise versions of Exchange Server, and don’t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.

“With organizations migrating to Microsoft Office 365 en masse over the last few years, it’s easy to forget that on-premises Exchange servers are still in service,” Saryu Nayyar, CEO, Gurucul, said via email. “Some organizations, notably in government, can’t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.”

CISA Mandates Patching Exchange Servers

CISA is requiring federal agencies to take several steps in light of the spreading attacks.

First, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.

The forensics step would include collecting “system memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.”

If no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can’t immediately patch, then they must take their Microsoft Exchange Servers offline.

All agencies have also been told to submit an initial report by Friday on their current situation.

“[This] highlights the increasing frequency of attacks orchestrated by nation states,” said Steve Forbes, government cybersecurity expert at Nominet, via email. “The increasing role of government agencies in leading a coordinated response against attacks. CISA’s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.”

Suggested articles