New zero-day vulnerabilities in on-premise Microsoft email servers is causing a fire drill across the government.
The Cybersecurity and Infrastructure Security Agency is giving agency chief information officers until Friday at 12 p.m. to determine if they run Microsoft Exchange servers on-premise, if they need technical help from CISA and answer 19 questions about how they are addressing the vulnerabilities.
CISA issued an emergency directive Wednesday requiring agencies to update or disconnect the Microsoft Exchange products from their networks until they are updated with the patch released Tuesday. Microsoft announced on March 2 it had detected multiple zero-day exploits used to attack on-premises versions of its Exchange Servers in limited and targeted attacks.
“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,” Microsoft wrote in a blog post.
CISA says these exploitations pose an “unacceptable risk” to agencies based on the current exploitation of these vulnerabilities, the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded. The agency says the attacker could use these vulnerabilities to access on-premises Exchange Servers and gain persistent system access and control of an enterprise network.
“This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail,” wrote Volexity, which discovered the exploit, in a blog post. “This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in Exchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable.”
Important first step
Acting CISA director Brandon Wales said the directive will both help secure federal networks and help the government understand what the hacker is doing.
“The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it,” Wales said in a statement.
In addition to patching or removing the Exchange servers, CISA also wants agencies to collect forensic images, search for known indicators of compromise after patching and if indicators are found, contact CISA to begin incident response activities.
Rep. John Katko (R-N.Y.), ranking member of the Homeland Security Committee, said CISA’s quick action is an important first step to addressing continued Chinese-sponsored attacks.
“[T]here is still much more to learn about the extent of this cyber campaign. My team is in touch with CISA, and I look forward to formal briefings in the near future,” he said in a statement.
CISA says by April 5 it will provide a report to the secretary of Homeland Security and the director of the Office of Management and Budget identifying cross-agency status and outstanding issues.
This latest threat comes as CISA continues to remediate the SolarWinds attack, which Katko is seeking more details from CISA on.
In a March 2 letter to Wales, Katko asked for answers to his questions by April 9.
“In the wake of the SolarWinds campaign, the committee would like to better understand CISA’s current cyber situational awareness posture. Particularly, how is CISA performing its internet asset discovery, monitoring, and vulnerability management functions for federal networks and critical infrastructure? Additionally, how could CISA better connect these sources of visibility together to maximize overall awareness of the risk landscape for the Nation?” the letter stated.
84% of all email is in the cloud
CISA says the Microsoft Exchange vulnerability doesn’t impact Office 365 or Azure cloud deployments.
While 17 major agencies have at least 98% of their email in the cloud, it doesn’t mean they aren’t running Exchange servers. Across government, however, only 84% of all email is in the cloud.
And those agencies like the departments of Treasury, Justice, Homeland Security and Energy that have less than 55% of all email in the cloud as of December 2020 face a more of an urgent need to patch their systems.
For smaller agencies, the Exchange vulnerabilities may be more challenging to deal with. It’s unclear how many of the medium and small agencies have put their email in the cloud.
CISA says these agencies should immediately disconnect Microsoft Exchange on-premises servers until they direct them to rebuild the Microsoft Exchange Server operating system and reinstall the software package.
“This vulnerability and subsequent emergency directive imposed by CISA continues to highlight the challenges of proper technology risk management and should continue to place focus and scrutiny on technology suppliers and agencies,” said Jerry Davis, a former chief information security officer at NASA and the Veterans Affairs Department and now founder of Gryphon X, a technology risk management firm. “Organizations have become complacent in the management of technology risks, often abdicating the function of continuous monitoring once the technology has become ‘legacy’ and in many cases well before then. Likewise, the federal government must demand of suppliers to articulate and continuously demonstrate reasonable security practices in their value chain. Until the product value chain can be reasonably secured, then these issues will continue to occur with regularity.”
Davis added agencies need to operate in a zero trust environment and reengineer those systems impacted by the vulnerability.
“Many say that the Internet is unsafe and unsecure. I would opine that the Internet was designed with the assumption that the end nodes to which they were connected were secure. Many decades later, we still have not secured the end nodes, be it in the architectural design of systems or networks or in the software development process,” he said.