Content Assessment: Compromised? Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server Vulnerabilities
Information - 95%
Insight - 95%
Relevance - 95%
Objectivity - 95%
Authority - 95%
A short percentage-based assessment of the qualitative benefit of the post highlighting the Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server vulnerabilities.
Editor’s Note: According to Cybersecurity and Infrastructure Security Agency (CISA), active exploitation of vulnerabilities in Microsoft Exchange Server products has been observed. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services. The following joint advisory from CISA and the Federal Bureau of Intelligence (FBI) highlights the cyber threat associated with this active exploitation of vulnerabilities.
Joint Cybersecurity Advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Agency (CISA)*
Compromise of Microsoft Exchange Server
This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.
This Advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities. The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.
On March 2, 2021, Microsoft and Volexity announced the detection of multiple zero-day exploits used to target vulnerabilities in on-premises versions of Microsoft Exchange Servers. In light of this public announcement, FBI and CISA assess that other capable cyber actors are attempting to exploit these vulnerabilities before victims implement the Microsoft updates.
The FBI and CISA have reports of malicious cyber actors using zero-day exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to gain access [T1190] to on-premises Microsoft Exchange servers of U.S. entities as early as January 2021. Various Tactics, Techniques, and Procedures (TTPs) have been identified, but the actor(s) frequently appeared to be writing webshells [T1505.003] to disk for initial persistence, conducting further operations to dump user credentials [T1003], adding/deleting user accounts as needed [T1136], stealing copies of the Active Directory database (NTDS.dit) [T1003.003], and moving laterally to other systems and environments. The actors appear to be collecting [T1114], compressing [T1560.001], and exfiltrating mailbox data.
This information has been shared with multiple U.S. government (USG) agencies and partners.
The FBI is proactively investigating this malicious cyber activity, leveraging specially trained cyber squads in each of its 56 field offices, and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask—and hold accountable—those conducting cyber activities.
See the CISA Remediating Microsoft Exchange Vulnerabilities web page for both executive- and technical-level guidance. Additionally, refer to the following CISA Alert for full technical details that address the four vulnerabilities in Microsoft Exchange Servers and associated IOCs.
Joint Cybersecurity Advisory – Compromise of Microsoft Exchange Server – 031021
What is the Cybersecurity and Infrastructure Security Agency? The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.
What is the FBI? The FBI is an intelligence-driven and threat-focused national security organization with both intelligence and law enforcement responsibilities. It is the principal investigative arm of the U.S. Department of Justice and a full member of the U.S. Intelligence Community. The FBI has the authority and responsibility to investigate specific crimes assigned to it and to provide other law enforcement agencies with cooperative services, such as fingerprint identification, laboratory examinations, and training. The FBI also gathers, shares, and analyzes intelligence, both to support its own investigations and those of its partners and to better understand and combat the security threats facing the United States.
*Shared with permission under Creative Commons – Attribution (BY) 4.0 – license.
- SOARing Costs? Considering Data Breach Economics
- Luck of the Irish? Data Protection Commission of Ireland Publishes Annual Report