ALBANY, N.Y.–The New York State Department of Financial Services has issued an industry letter to all of its regulated entities following the recent discovery of cybersecurity vulnerabilities in Microsoft Exchange Server.
As CUToday.info reported here, thousands of organizations are reported to have been compromised via zero-day vulnerabilities in Microsoft Exchange Server. On March 2, Microsoft made patches available for these vulnerabilities, but as the DFS noted many organizations were compromised either before the patches were available or before the patches were applied.
“The Department of Financial Services urges all regulated entities with vulnerable Microsoft Exchange services to act immediately,” the department said. “ Regulated entities should immediately patch or disconnect vulnerable servers, and use the tools provided by Microsoft to identify and remediate any compromise exploiting these zero-day vulnerabilities. The U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) has also released a current activity update outlining how to search for a compromise.”
Four Vulnerabilities
Microsoft has reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later (including 2016, 2019). The vulnerable servers appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers. It also appears that the vulnerabilities were being exploited for some time before March 2, and that widespread exploitation of the vulnerabilities is ongoing, according to Microsoft.
Microsoft has released several security updates for vulnerabilities affecting the on-premises versions of Microsoft Exchange Server. The Common Vulnerabilities and Exposures (“CVE”)[i] exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft stated that these exploits “require[] the ability to make an untrusted connection to Exchange server port 443.
“This can be protected against by restricting untrusted connections or by setting up a VPN to separate the Exchange server from external access,” Microsoft said.
The other vulnerabilities that were also fixed in the March 2nd updates were CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078 and, according to Microsoft, are “not related to known attacks.”
CISA Recommendations
A CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities recommends immediate patching of the vulnerabilities and preserving forensics of the cyber event. CISA reported that the threat actors deployed web shells on the compromised servers to establish persistent access to the victims network.
CISA noted web shells can allow attackers to steal data and perform additional malicious actions, installing the patches alone will not remove malicious web shells that were deployed before patching.
Act Immediately
“Regulated entities should immediately assess the risk to their systems and consumers, and take steps necessary to address vulnerabilities and customer impact,” the New York DFS is recommending. “The assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by critical third parties. Regulated entities should also continue to track developments in this compromise and respond quickly to new information.”