At Observatory, we are dedicated to providing our customers with solutions beyond their policies. As an industry leader, we strongly urge all of our clients – not just regulated entities – to take this matter very seriously. If you have questions about your policy and whether cyber coverage is a part of your portfolio, please contact your agent immediately. Furthermore, we urge you to reserve your rights by submitting a ‘Reservation of Rights’ document, affirming your silent, non-affirmative coverage with your carrier today.
In the last week, many organizations were compromised via zero-day vulnerabilities in Microsoft Exchange Server. On March 2, 2021, Microsoft made patches available for these vulnerabilities, however, it was too late for many organizations, which were compromised before the patches were available or before they had the chance to apply them.
At Observatory, we strongly urge clients with vulnerable Microsoft Exchange services to act immediately. Especially if you operate a regulated entity, you should immediately patch or disconnect all vulnerable servers, and use the tools provided by Microsoft to identify and remediate any compromise stemming from these exploitations. The U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) has also released a current activity update outlining how to search for a compromise.
What Happened, and When?
On March 2, 2021, Microsoft reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later (including 2016, 2019). The vulnerable servers appear to self-host Web versions of Microsoft’s email program Outlook on their own machines rather than enrolling in a cloud provider program. It also appears that the vulnerabilities did not begin on March 2, rather – they appear to have been happening for a long while beforehand. Widespread exploitation of the vulnerabilities is ongoing, meaning time is of the essence. If your servers have not been exploited yet, it is still possible that they will be.
On March 2nd Microsoft also released several security updates for vulnerabilities affecting the on-premises versions of Microsoft Exchange Server. The Common Vulnerabilities and Exposures (“CVE”) exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft has stated that these exploits “require the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections or by setting up a VPN to separate the Exchange server from external access.” Other vulnerabilities given attention in the March 2nd updates were CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078. According to Microsoft, however, these fixes are “not related to known attacks.”
U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency Recommendations:
As of March 5, 2021, CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities recommends immediately applying the correct patches to all known vulnerabilities, as well as preserving forensics of the cyber event. CISA reported that hackers deployed web shells on the compromised servers to establish persistent access to the victims’ network. Web shells allow attackers to steal data and perform additional malicious actions. It is important to note that simply installing the patches will not remove malicious web shells that were deployed before patching. We strongly recommend that you follow the steps provided in the CISA Emergency Directive to identify exploited servers and find web shells. Here are some resources to assist you:
- Microsoft Advisory: Multiple Security Updates Released for Exchange Server
- Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
- Microsoft GitHub Repository: CSS-Exchange
- CISA Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
Regulated entities should immediately assess the risk to their systems and consumers, and take steps necessary to address vulnerabilities and customer impact. Your assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by critical third parties. Regulated entities should also continue to track developments in this compromise and respond quickly to new information.
Regulated entities are reminded to report Cybersecurity Events as promptly as possible and within 72 hours at the latest.