CISA has issued supplemental direction to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities providing additional forensic triage and server hardening, requirements for federal agencies. Specifically, this update directs federal departments and agencies to run newly developed tools —Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSER—to investigate whether their Microsoft Exchange Servers have been compromised.  

Tim Wade, Technical Director, CTO Team at Vectra, says, “If there ever was a question of the impact and risk associated with these vulnerabilities, it should clearly be answered now -- CISA has instructed organizations with insufficient cybersecurity expertise to fully disconnect their on-premises exchange infrastructure until such a time as instructions for rebuilding and reprovisioning are provided. Given the importance of email for modern business, these directives indicate that there are organizations who may be implicitly instructed to stand down from the full execution of their primary function unless and until remediation occurs.”

Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA encourages state and local governments, critical infrastructure entities, and other private sector organizations to review the supplemental direction and the following resources for additional information:

• CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
• CISA web page: Remediating Microsoft Exchange Vulnerabilities
• Microsoft’s EOMT.ps1 blog post

Kevin Dunne, President at Pathlock, explains, "The recent announcement of vulnerabilities for on-premise Microsoft Exchange servers is a reminder of the complexity of managing critical applications and infrastructure in house.  The explosion in vulnerabilities has spurred companies to consider adopting SaaS versions of their software, so they can receive patches and updates quickly, and directly from the vendor.  Shifting to a cloud-based approach will open new loopholes, as data shifts to the public internet and traditional network-based protection offers little value.  Cloud-enabled organizations must look to access based approaches to protect their critical assets and the data that resides within them."

According to Anthony Pillitiere, Co-Founder and CTO at Horizon3.AI, “We will continue to see a significant increase in serious cyber attacks throughout 2021 using ubiquitous software like Exchange and SolarWinds as the attack vector. Organizations that lack a strong cyber security foundation will suffer, but organizations that have invested in the right talent, tools, processes, and partners will weather the storm.”