CISA Issues Emergency Directive on Microsoft Exchange Security Issue
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a notice and recommendations regarding a serious security issue with Microsoft Exchange on-premises products. CISA has issued an emergency directive to federal agencies to take action to address this threat and strongly urges other entities, including local governments, to immediately take action to ensure their networks are secure. For more information, visit Mitigate Microsoft Exchange On-Premises Product Vulnerabilities | CISA.
From: Sector.Partnership <Sector.Partnership@cisa.dhs.gov>
Sent: Friday, March 5, 2021 10:40 PM
Subject: Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities
Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities
INTENDED FOR WIDEST DISTRIBUTION
Critical Infrastructure Colleagues and Partners,
The Cybersecurity and Infrastructure Security Agency (CISA) strongly urges its partners to follow guidance provided to Federal Civilian Executive Branch Departments and Agencies at cisa.gov/ed2102. This CISA Emergency Directive outlines key steps federal officials must take to immediately address this vulnerability. We cannot stress enough the seriousness of this vulnerability; it is widespread and is indiscriminate.
As a follow up to the conference call CISA held earlier today regarding the Microsoft Exchange widespread vulnerability affecting on-premise deployments, CISA published this evening the following Current Activity supplemental guidance to ensure all partners understand the severity of the vulnerability and steps to detect and mitigate potential compromise. All information surrounding this vulnerability can also be found directly at www.cisa.gov.
NOTE: Exploitation of this vulnerability before patch installation permits an adversary to gain persistent access to and control of entire enterprise networks which is likely to persist even after patching.
Please immediately speak with your IT officials to determine what steps your organization has taken, and if your organization does not have the technical capability to verify network integrity please consider bringing in a third party to assist you as soon as possible.
Everyone using Microsoft Exchange on-premise products must:
- Check for signs of compromise;
- Immediately patch Microsoft Exchange with the vendor released patch;
- If unable to patch, remove the products from the networkimmediately; and
- Upgrade to the latest supported version of Microsoft Exchange.
Response to indicators of compromise are essential to eradicate adversaries already on your network and must be accomplished in conjunction with measures to secure the Microsoft Exchange environment. Patching an already compromised system will not be sufficient to mitigate this situation; therefore, CISA strongly encourages partners to immediately disconnect any Microsoft Exchange systems suspected of being compromised.
Please contact CISA for any questions or to report an incident regarding this vulnerability at Central@cisa.gov.
------- Actions for IT Admins/Staff -------
CISA is tracking a serious issue with Microsoft Exchange. We cannot emphasis enough that exploitation is widespread and indiscriminate and we are advising all system owners to complete the following actions.
Please follow the ensuing checklist and provide feedback to your leadership on the actions you have taken and any challenges completing the recommended steps.
- Patch ALL instances of Microsoft Exchange that you are hosting.
- If you can’t patch then follow the recommendations Microsoft issued -- Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 – Microsoft Security Response Center .
- Check for indicators of compromise by running the following script .
- If you haven’t been compromised we strongly recommend enhance monitoring of network connections to your Exchange environment.
- If you have, follow this guidance to better understand what to do next.
Respectfully,
Cybersecurity and Infrastructure Security Agency
Defend Today Secure Tomorrow