CISA Orders Action Against Exchange Vulnerabilities

Underscoring the continued potential threat from the recently discovered exploitation of vulnerabilities in Microsoft Exchange Servers, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to take a number of actions to shore up security, including immediately scanning the servers for malware.

“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency said in supplementary guidance to the earlier CISA Emergency Directive (ED) 21-02. “This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”

AppSec/API Security 2022

The agencies must report the results of scans by Microsoft Safety Scanner (MSERT)  to CISA by April 5, then run scans weekly for the next four weeks using the latest versions of MSERT, reporting any signs of compromise. They also must analyze Exchange and IIS logs by running the Test-ProxyLogon.ps1 script to check for any hacking activity.

The supplemental directive charges agencies with provisioning firewalls between Microsoft Exchange servers and the internet, deploying updates within 48 hours of their release, using software on servers hosting Microsoft Exchange that are supported by the manufacturer and taking steps to prevent attackers from leveraging “weak privileges to enable a lateral movement path to their target privileges.”

The directive also ordered agencies to capture and store for 180 days all logs from the host OS, Microsoft Exchange and associated network logs, preferably in a separate location monitored by an agency’s SOC.

Fulfilling the laundry list of requirements, system hardening criteria and meeting CISA’s June 28 deadline will take considerable time and resources.

The agency’s heavy-handed move put to rest any question “as to the impact and risk associated with the vulnerabilities,” said Tim Wade, technical director, CTO team at Vectra. “CISA has instructed organizations with insufficient cybersecurity expertise to fully disconnect their on-premises exchange infrastructure until such a time as instructions for rebuilding and re-provisioning are provided,” said Wade. “Given the importance of email for modern business, these directives indicate there are organizations who may be implicitly instructed to stand down from the full execution of their primary function unless and until remediation occurs.”

There will be “a significant increase in serious cyberattacks throughout 2021 using ubiquitous software like Exchange and SolarWinds as the attack vector,” warned Anthony Pillitiere, co-founder and CTO at Horizon3. Pillitiere stressed that “organizations that lack a strong cybersecurity foundation will suffer, but organizations that have invested in the right talent, tools, processes and partners will weather the storm.”

In special operations, he said, “we learned to master the fundamentals” and the same holds “true in cybersecurity – focus on getting the fundamentals right.” That way, organizations “can assess, detect, and respond to security threats faster.”

The onslaught of vulnerabilities – and the complexity of managing critical applications and infrastructure in-house – likely will drive organizations “to consider adopting SaaS versions of their software, so they can receive patches and updates quickly, and directly from the vendor,” said Pathlock President Kevin Dunne.

But shifting to cloud “will open new loopholes, as data shifts to the public internet and traditional network-based protection offers little value,” Dunne warned.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 119 posts and counting.See all posts by teri-robinson