Cyber Attacks Targeting Microsoft Exchange Server Vulnerabilities Identified

The Cybersecurity and Infrastructure Security Agency (CISA) has recently identified a threat targeting Microsoft Exchange Servers 2010, 2013, 2016 and 2019 email servers and issued an alert about the threat.

Microsoft announced that the attack is linked to Chinese government-backed hackers. Initially, the attack was directed at high-profile targets, but the attack has morphed into indiscriminate mass exploitation of hosted email servers.

Further information on this incident has been reported in the New York Times and the Wall Street Journal and numerous other news outlets.

Here are the recommended steps to take to protect your data:

Blocking: CISA recommends immediate limit or block of extranet access to internet-facing Exchange Servers.

Tackling:

(1) Patch: Install and implement software updates provided by Microsoft and identified in its Alert.

(2) Forensic review: Assess servers for compromise and conduct review as needed. Maintain copies of audit logs and forensic assessments.

(3) Mitigation: If immediate patching has not occurred, implement Microsoft’s temporary suggestions and take additional action, as needed, to protect against attack and exploitation of information, up to and including, as necessary, disconnect of servers until software updates are complete.

If your IT security staff or vendor has not already taken action, we recommend prompt attention to this threat. Various response information can be found at the Microsoft Security Response Center.

This situation is yet another reminder of the importance of diligence with cybersecurity. IT teams should be sure that they are signed up for various news feeds, such as that of CISA, the Office for Civil Rights, and others. Furthermore, IT teams should regularly check for program updates on schedules that are regular and separate from major announced incidents.

For assistance with security issues, policies, and incident response, please contact the authors.