Compromised? Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server Vulnerabilities

According to the recent FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server vulnerabilities, these vulnerabilities allow an attacker to access a victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: Compromised? Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server Vulnerabilities

Information - 95%
Insight - 95%
Relevance - 95%
Objectivity - 95%
Authority - 95%

95%

Excellent

A short percentage-based assessment of the qualitative benefit of the post highlighting the Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server vulnerabilities.

Editor’s Note: According to Cybersecurity and Infrastructure Security Agency (CISA), active exploitation of vulnerabilities in Microsoft Exchange Server products has been observed. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services. The following joint advisory from CISA and the Federal Bureau of Intelligence (FBI) highlights the cyber threat associated with this active exploitation of vulnerabilities.

Joint Cybersecurity Advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Agency (CISA)*

Compromise of Microsoft Exchange Server

This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.

Summary

This Advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities. The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.

On March 2, 2021, Microsoft and Volexity announced the detection of multiple zero-day exploits used to target vulnerabilities in on-premises versions of Microsoft Exchange Servers. In light of this public announcement, FBI and CISA assess that other capable cyber actors are attempting to exploit these vulnerabilities before victims implement the Microsoft updates.

The FBI and CISA have reports of malicious cyber actors using zero-day exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to gain access [T1190] to on-premises Microsoft Exchange servers of U.S. entities as early as January 2021. Various Tactics, Techniques, and Procedures (TTPs) have been identified, but the actor(s) frequently appeared to be writing webshells [T1505.003] to disk for initial persistence, conducting further operations to dump user credentials [T1003], adding/deleting user accounts as needed [T1136], stealing copies of the Active Directory database (NTDS.dit) [T1003.003], and moving laterally to other systems and environments. The actors appear to be collecting [T1114], compressing [T1560.001], and exfiltrating mailbox data.

This information has been shared with multiple U.S. government (USG) agencies and partners.

The FBI is proactively investigating this malicious cyber activity, leveraging specially trained cyber squads in each of its 56 field offices, and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask—and hold accountable—those conducting cyber activities.

See the CISA Remediating Microsoft Exchange Vulnerabilities web page for both executive- and technical-level guidance. Additionally, refer to the following CISA Alert for full technical details that address the four vulnerabilities in Microsoft Exchange Servers and associated IOCs.


Read the Complete Advisory (PDF)

Joint Cybersecurity Advisory – Compromise of Microsoft Exchange Server – 031021

Read the advisory from the original source.


Background Information

What is the Cybersecurity and Infrastructure Security Agency? The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.

What is the FBI? The FBI is an intelligence-driven and threat-focused national security organization with both intelligence and law enforcement responsibilities. It is the principal investigative arm of the U.S. Department of Justice and a full member of the U.S. Intelligence Community. The FBI has the authority and responsibility to investigate specific crimes assigned to it and to provide other law enforcement agencies with cooperative services, such as fingerprint identification, laboratory examinations, and training. The FBI also gathers, shares, and analyzes intelligence, both to support its own investigations and those of its partners and to better understand and combat the security threats facing the United States.

*Shared with permission under Creative Commons – Attribution (BY) 4.0 – license.

Additional Reading

Source: ComplexDiscovery

Interested in Contributing?

ComplexDiscovery regularly reports on key cyber, data, and legal discovery business spheres of interest ranging from market size and mergers to business confidence and vendor developments.

We do not offer ads on the website but like to support our work with voluntary contributions from those who enjoy and benefit from the research, news, and articles shared. Your support is greatly appreciated and will be directly used to support our publishing efforts for our dynamic community of cyber, data, and legal discovery professionals.

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

[Legal Education Webcast] Breaches, Responses, and Challenges: Cybersecurity Essentials That Every Lawyer Should Know

Every large corporation and organization today face the significant threat of...

Classifying Ransomware? A Ransomware Classification Framework Based on File-Deletion and File-Encryption Attack Structures

This paper evaluates attack methodologies of a ransomware attack: the underlying...

Thwarting Architectural Imbalance? Considering Dynamic Distributed Secure Storage Against Ransomware

In this paper, the authors focus on ransomware, which is a...

Considering Ransomware Risk Management? A Cybersecurity Framework Profile from NIST

Ransomware is a type of malicious attack where attackers encrypt an...

Magnet Forensics Acquires DME Forensics

According to the announcement, under the terms of the agreement, Magnet...

Consilio to Acquire Legal Consulting and eDiscovery Business Units of Special Counsel from Adecco

According to Laurie Chamberlin, Head of Professional Recruitment and Solutions North...

Nuix Acquires Natural Language Processing Company

According to Nuix CEO Rod Vawdrey, “Topos will strengthen Nuix’s product...

UnitedLex Acquires BlackStone Discovery

According to John P. Kelly, CEO and founder of BlackStone Discovery,...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Five Great Reads on Cyber, Data, and Legal Discovery for July 2021

From considerations for cyber insurance and malware to eDiscovery business confidence...

Five Great Reads on eDiscovery for June 2021

From remediating cyberattacks to eDiscovery pricing, the June 2021 edition of...

Five Great Reads on eDiscovery for May 2021

From cyber discovery and data breaches to business of law and...

More Keepers? Predictive Coding Technologies and Protocols Survey – Fall 2021 Results

From the most prevalent predictive coding platforms to the least commonly...

Glowing Expectations? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2021

In the summer of 2021, 63.3% of survey respondents felt that...

Issues Impacting eDiscovery Business Performance: A Summer 2021 Overview

In the summer of 2021, 24.4% of respondents viewed increasing types...

Looking Up? eDiscovery Operational Metrics in the Summer of 2021

In the summer of 2021, 80 eDiscovery Business Confidence Survey participants...