Homeland Security has declared an ongoing attack against Microsoft Exchange as an emergency. The attacks, which began earlier this week, target Microsoft Exchange Servers, stringing together several zero-day exploits to access secure email accounts.
Homeland Security: Attack Is “Unacceptable Risk”
Homeland Security issued Emergency Directive 21-02 late on March 3, delivering some background information on the Microsoft Exchange attack.
CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
The directive then explains that an attack of this nature “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
Homeland Security has set a deadline of 12 PM EST on Friday, March 5, for federal agencies to comply with the analysis and mitigation protocols set out in the directive.
Currently, each agency must identify its Microsoft Exchange Servers, complete a forensic triage of its system memory, logs, and registry hives, then analyze the results for any indicators of credential theft or other compromises.
Who Is Attacking Microsoft Exchange Servers?
Microsoft has pointed the figure squarely at a Chinese nation-state hacking group known as HAFNIUM. Usually, companies take a little longer before committing to naming a suspect, but Microsoft is in little doubt that a “highly skilled and sophisticated actor” is behind the attack.
Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
Part of the reason for this is that the Microsoft Exchange attack strings together four previously unknown vulnerabilities. You can read the details on the official Microsoft Security blog.
Microsoft also notes that it has observed HAFNIUM interacting with its Microsoft Office 365 suite, probing for vulnerabilities. It also confirmed that this attack has no relation to SolarWinds, the enormous cyberattack that affected multiple US government agencies, along with several leading tech companies.
The good news is that while these attacks are ongoing and do pose a significant threat against Microsoft Exchange Servers, the Microsoft security team has already rolled out a series of patches to mitigate the vulnerabilities.
You can find more details regarding the Microsoft Exchange Server patches on the Microsoft Tech Community site, including how to download and install the updates as well as how to scan your Exchange Servers for signs of compromise.