Industry Letter
To: Chief Executive Officers, Chief Information Officers, Chief Information Security Officers, Senior Information Officers, and Data Privacy Officers of all Regulated Entities
From: Cybersecurity Division, Department of Financial Services
Re: Microsoft Reports Exploitation of Four Vulnerabilities in Microsoft Exchange Server
Date: March 9, 2021
In recent days, thousands of organizations were compromised via zero-day vulnerabilities in Microsoft Exchange Server. On March 2, 2021, Microsoft made patches available for these vulnerabilities but many organizations were compromised either before the patches were available or before the patches were applied.
The Department of Financial Services (“DFS”) urges all regulated entities with vulnerable Microsoft Exchange services to act immediately. Regulated entities should immediately patch or disconnect vulnerable servers, and use the tools provided by Microsoft to identify and remediate any compromise exploiting these zero-day vulnerabilities. The U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) has also released a current activity update outlining how to search for a compromise.
Background: On March 2, 2021, Microsoft reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later (including 2016, 2019). The vulnerable servers appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers. It also appears that the vulnerabilities were being exploited for some time before March 2, and that widespread exploitation of the vulnerabilities is ongoing.
On March 2nd Microsoft also released several security updates for vulnerabilities affecting the on-premises versions of Microsoft Exchange Server. The Common Vulnerabilities and Exposures (“CVE”)[i] exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft stated that these exploits “require[] the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections or by setting up a VPN to separate the Exchange server from external access.” The other vulnerabilities that were also fixed in the March 2nd updates were CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078 and, according to Microsoft, are “not related to known attacks.”
CISA Recommendations: As of March 5, 2021, CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities recommends immediate patching of the vulnerabilities and preserving forensics of the cyber event. CISA reported that the threat actors deployed web shells on the compromised servers to establish persistent access to the victims network. Web shells can allow attackers to steal data and perform additional malicious actions, installing the patches alone will not remove malicious web shells that were deployed before patching. We therefore recommend carefully considering the steps proposed in the CISA Emergency Directive to identify exploited servers and find web shells. We recommend reviewing the following resources:
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange
- CISA Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
Regulated entities should immediately assess the risk to their systems and consumers, and take steps necessary to address vulnerabilities and customer impact. The assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by critical third parties. Regulated entities should also continue to track developments in this compromise and respond quickly to new information.
Regulated entities are reminded to report Cybersecurity Events pursuant to 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest.
Any questions or comments regarding this Alert should be directed to [email protected].
[i] Common Vulnerabilities and Exposures (“CVE”) records or numbers are unique, common identifiers for publicly known cybersecurity vulnerabilities. See The Mitre Organization, “About CVE Records.”