CISA Offers IT Admins Guidelines to Mitigate Recent MS Exchange Vulnerabilities

The Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive and alert addressing several critical vulnerabilities recently found in Microsoft Exchange products. Microsoft confirmed the existence of multiple flaws in Microsoft Exchange Server last week, when it rolled out several security updates following reports of targeted attacks.

“Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem,” Microsoft said at the time.

Exploitation of these vulnerabilities can allow a malicious actor to access on-premises Exchange servers and gain persistent access and control of an enterprise network.

CISA recommends organizations examine their systems for any malicious activity as detailed in Alert AA21-062A. To do so, IT admins can consult the handy list of tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity provided in the alert.

Microsoft itself has also rolled out an IOC Detection Tool for the newest Exchange Server vulnerabilities. The tool leverages an updated script that scans Exchange log files for indicators of compromise associated with the vulnerabilities disclosed last week.

Affected products include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019.

As Microsoft noted last week, the vulnerabilities in question are used as part of an attack chain, meaning some mitigations only protect against some attack vectors.

“Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file,” Microsoft warned last week.

To that end, CISA reasserts that IT administrators must thoroughly examine their systems for the TTPs and use the IOCs to detect any malicious activity.

“If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert,” CISA says.