The US Department of Homeland Security agency’s new emergency directive comes in the wake of major zero-day attacks on email servers revealed by Microsoft this week.
The US agency’s Emergency Directive 21-02, “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” was issued on March 3.
Following Microsoft’s release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning of “active exploitation” of the vulnerabilities.
This week, Microsoft warned that four zero-day vulnerabilities in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium.
ED-21-02 also calls for agencies to gather forensic images and, after patching, to look for known indicators of compromise in the wake of Microsoft’s revelation that four zero-day flaws in Exchange are being abused by a nation-state group believed to be out of China. CISA also published technical details and indicators of compromise today.
Exchange Online is not affected by the bugs. However, Exchange Server is software used by government agencies and the enterprise alike, and so Microsoft’s warning to apply provided patches immediately should not be ignored.
It’s not clear if any U.S. government agencies have been breached in the campaign, but the CISA directive underscores the urgency of the threat.
CISA says that partner organizations have detected “active exploitation of vulnerabilities in Microsoft Exchange on-premise products.”
While the company mainly attributed the campaign to a threat group called HAFNIUM, Slovakian cybersecurity firm ESET said it found evidence of CVE-2021-26855 being actively exploited in the wild by several cyberespionage groups, including LuckyMouse, Tick, and Calypso targeting servers located in the U.S., Europe, Asia, and the Middle East.
CISA said it worked with the National Security Agency, Microsoft, and security researchers to provide detection and mitigation steps for the threats.