Amid the Microsoft Exchange Server hacks and cyberattacks, which may have impacted more than 60,000 Microsoft e-mail customers worldwide, the Cybersecurity and Infrastructure Security Agency (CISA) is urging MSSPs, MSPs and IT security staffs to immediate address the vulnerabilities.
A CISA alert, issued March 8, describes five steps that all Microsoft Exchange system owners should take immediately. The five steps, according to the CISA alert, include this specific guidance (word for word):
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
- If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.
Microsoft Exchange Cyberattack: Hafnium Hack Timeline, Updates
Microsoft disclosed the Exchange Server hacks on March 2, 2021. Microsoft alleges that a state-sponsored threat actor called Hafnium, which operates from China, launched the attacks against customers' on-premises email servers.
Related Updates: See this Microsoft Exchange Cyberattack Timeline for ongoing updates about the attacks, fallout, investigation and remediation.