The Cybersecurity and Infrastructure Security Agency has released an emergency directive requiring agencies to update their on-premises Microsoft Exchange Servers with security patches or disconnect the products. CISA said Wednesday that all agency chief information officers should submit a report by Friday, March 5, using the provided template to inform CISA about their status.
Microsoft issued the security updates after it found that a state-sponsored threat actor operating from China, called Hafnium, was targeting defense contractors, law firms, policy think tanks, infectious disease researchers and other entities to steal data by compromising on-premises Exchange Server software.
“Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network,” the directive reads.
CISA also directed agencies to acquire forensic images, identify indicators of compromise and report to the agency the presence of web shell code on a compromised server, unauthorized access to accounts and evidence of lateral movement of malicious actors that have access to compromised servers.
CISA said it will issue additional indicators of compromise as soon as they become available, offer technical support to agencies without capabilities to comply with the directive and submit a report on outstanding issues to the secretary of the Department of Homeland Security and director of the Office of Management and Budget by April 5.