CISA gives federal agencies 5 days to find hacked Exchange servers

CISA gives federal agencies 5 days to find hacked Exchange servers

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to scan their networks again for any signs of compromised on-premises Microsoft Exchange servers and report their findings within five days.

CISA issued another directive ordering federal agencies to urgently update or disconnect their Exchange on-premises servers after Microsoft released security updates for zero-day bugs collectively dubbed ProxyLogon.

Earlier this month, CISA officials said that, so far, no US federal civilian agencies were compromised in ongoing attacks targeting vulnerable Exchange servers.

The newly issued emergency directive provides federal civilian executive branch agencies with additional forensic triage and server hardening requirements.

“Specifically, this update directs federal departments and agencies to run newly developed tools —Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT—to investigate whether their Microsoft Exchange Servers have been compromised,” the CISA said.

Microsoft Exchange supplemental guidance

The federal agencies are required to use tools developed by Microsoft to help organizations investigate if their Exchange servers have been compromised in ProxyLogon attacks:

  • By 12:00 PM EDT on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template.
  • By 12:00 PM EDT on Monday, April 5, 2021, download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity. Report results to CISA using the provided reporting template.

CISA also asked agencies that find any evidence of compromise using Microsoft’s new tools to immediately report it “as an incident.”

The emergency directive also requires that all agencies further harden their on-premises Exchange servers by 12:00 PM EDT on Monday, June 28, 2021.

Required hardening measures include provisioning firewalls, installing updates within 48 hours after they’re released, using only supported software versions, configuring logging and storing logs off-site for at least 6 months, and installing anti-malware on all on-premises servers.

“Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review the supplemental direction [..] for additional information,” CISA added.

Ongoing attacks targeting Exchange servers

Microsoft disclosed ongoing attacks coordinated by several Chinese-backed hacking groups targeting the vulnerabilities.

Slovak internet security firm ESET also shared info on at least ten more hacking groups actively abusing these bugs.

Attackers target orgs from multiple industry sectors worldwide, stealing sensitive information, deploying cryptomining malware or ransomware [12] on on-premises Exchange servers.

From over 400,000 vulnerable servers impacted by the ProxyLogon flaws on March 2 when Microsoft disclosed the bugs, there are now under 30,000 still exposed to attacks after 92% of them were patched within a month.