The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. The CSA is meant to highlight the cyber threat associated with active exploitation of vulnerabilities in Microsoft Exchange on-premises products.
On March 2, 2021, Microsoft and Volexity announced the detection of multiple zero-day exploits used to target vulnerabilities in on-premises versions of Microsoft Exchange Servers. In light of this public announcement, FBI and CISA assess that other capable cyber actors are attempting to exploit these vulnerabilities before victims implement the Microsoft updates.
In an update, Microsoft said it continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, they released a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE.
Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors, the CSA says.
FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.
The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.
CISA recommends organizations to review Joint CSA: AA-21-069 Compromise of Microsoft Exchange Server as well as the CISA Remediating Microsoft Exchange Vulnerabilities web page for guidance on detecting, protecting against, and remediating this malicious activity.