CISA Orders Action Against Exchange Vulnerabilities

Underscoring the continued potential threat from the recently discovered exploitation of vulnerabilities in Microsoft Exchange Servers, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to take a number of actions to shore up security, including immediately scanning the servers for malware.

“CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency said in supplementary guidance to the earlier CISA Emergency Directive (ED) 21-02. “This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”

The agencies must report the results of scans by Microsoft Safety Scanner (MSERT)  to CISA by April 5, then run scans weekly for the next four weeks using the latest versions of MSERT, reporting any signs of compromise. They also must analyze Exchange and IIS logs by running the Test-ProxyLogon.ps1 script to check for any hacking activity.

The supplemental directive charges agencies with provisioning firewalls between Microsoft Exchange servers and the internet, deploying updates within 48 hours of their release, using software on servers hosting Microsoft Exchange that are supported by the manufacturer and taking steps to prevent attackers from leveraging “weak privileges to enable a lateral movement path to their target privileges.”

The directive also ordered agencies to capture and store for 180 days all logs from the host OS, Microsoft Exchange and associated network logs, preferably in a separate location monitored by an agency’s SOC.

Fulfilling the laundry list of requirements, system hardening criteria and meeting CISA’s June 28 deadline will take considerable time and resources.

The agency’s heavy-handed move put to rest any question “as to the impact and risk associated with the vulnerabilities,” said Tim Wade, technical director, CTO team at Vectra. “CISA has instructed organizations with insufficient cybersecurity expertise to fully disconnect their on-premises exchange infrastructure until such a time as instructions for rebuilding and re-provisioning are provided,” said Wade. “Given the importance of email for modern business, these directives indicate there are organizations who may be implicitly instructed to stand down from the full execution of their primary function unless and until remediation occurs.”

There will be “a significant increase in serious cyberattacks throughout 2021 using ubiquitous software like Exchange and SolarWinds as the attack vector,” warned Anthony Pillitiere, co-founder and CTO at Horizon3. Pillitiere stressed that “organizations that lack a strong cybersecurity foundation will suffer, but organizations that have invested in the right talent, tools, processes and partners will weather the storm.”

In special operations, he said, “we learned to master the fundamentals” and the same holds “true in cybersecurity – focus on getting the fundamentals right.” That way, organizations “can assess, detect, and respond to security threats faster.”

The onslaught of vulnerabilities – and the complexity of managing critical applications and infrastructure in-house – likely will drive organizations “to consider adopting SaaS versions of their software, so they can receive patches and updates quickly, and directly from the vendor,” said Pathlock President Kevin Dunne.

But shifting to cloud “will open new loopholes, as data shifts to the public internet and traditional network-based protection offers little value,” Dunne warned.