CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

Updated: Patch now, or disconnect Microsoft Exchange servers from the internet.
Written by Charlie Osborne, Contributing Writer

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive following the release of fixes for zero-day vulnerabilities in Microsoft Exchange. 

The US agency's Emergency Directive 21-02, "Mitigate Microsoft Exchange On-Premises Product Vulnerabilities," was issued on March 3. 

This week, Microsoft warned that four zero-day vulnerabilities in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium

Exchange Online is not affected by the bugs. However, Exchange Server is software used by government agencies and the enterprise alike, and so Microsoft's warning to apply provided patches immediately should not be ignored. 

In light of this, CISA's directive -- made through legal provisions for the agency to issue emergency orders to other US government bodies when serious cybersecurity threats are detected -- demands that federal agencies tackle the vulnerabilities now. 

CISA says that partner organizations have detected "active exploitation of vulnerabilities in Microsoft Exchange on-premise products."

"Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network," the agency says. 

CISA believes the vulnerabilities present an "unacceptable risk to Federal Civilian Executive Branch agencies," and so action is now required. 

The emergency directive has stipulated that agencies must begin triaging their network activity, system memory, logs, Windows event logs, and registry records to find any indicators of suspicious behavior. 

If there are no indicators of compromise (IoCs), patches need to be immediately applied to Microsoft Exchange builds. However, if any activity is of note, US departments must immediately disconnect their Microsoft Exchange on-premises servers and report their findings to CISA for further investigation.

"This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action," the agency added. 

Update 10.28 GMT: In an updated alert late Thursday, CISA said the agency is "aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards