Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies

US federal agencies need to immediately begin more clean-up work on potentially compromised Exchange servers.

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed US government agencies with on-premise Exchange systems to run Microsoft malware scanners and report results by April 5. 

CISA issued supplementary direction to its "ED 21-02" directive; the new request applies to any federal agency that had an Exchange server connected directly or indirectly to the internet at any point since January 1, 2021. 

The move follows the discovery of software flaws in on-premise versions of Microsoft Exchange Server being exploited by attackers. Exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

SEE: Network security policy (TechRepublic Premium)

The new CISA orders are aimed at ensuring agencies use newly developed Microsoft tools to identify any compromises that remain undetected. They need to be followed even if all steps in the earlier directive were completed. 

"Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening," CISA says in the supplement. 

"By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template," it notes. 

The Microsoft scanner can use up a lot of a server's processing capacity, so CISA recommends running the scan during off-peak hours.

The other tool agencies are instructed to run is the Test-ProxyLogon.ps1 script, which Microsoft released in mid-March. The script can be run as administrator to check Exchange and IIS logs to discover signs of attacker activity, such as files written to the server and the presence of web shell scripts used for persistence. 

"This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065," CISA explains. 

CISA also issued hardening instructions for Exchange servers including applying software updates, ensuring that only a supported version of Exchange is being used, and to review permissions and roles. The hardening requirements need to be complete by Monday, June 28, 2021.

"Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors," CISA warns. 

Agencies need to "enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles." 

They will also need to review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins" and "review sensitive roles such as Mailbox Import Export and Organization Management (e.g. using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell). 

Agencies must "ensure that no account on an Exchange server is a member of the Domain Admin group in Active Directory". Finally, they must prevent the accounts that manage on-premises Exchange from having administrative permissions in any Microsoft Office 365 environment.