The U.S. National Security Agency discovered and notified Microsoft of two Exchange Server vulnerabilities that could allow hackers to persistently access and control enterprise networks.
The latest flaws impact on-premises Microsoft Exchange Servers 2013, 2016, and 2019, and could be exploited by adversaries to gain access and maintain persistence on the target host, according to the Cybersecurity and Infrastructure Security Agency. These flaws are likely to be weaponised, and CISA said there’s high potential they could compromise the integrity and confidentiality of agency information.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,” the agency wrote in a supplemental directive issued Tuesday. Federal agencies with on-premises Microsoft Exchange servers are required to deploy Microsoft’s patches by 12:01 a.m. USET Friday or remove the servers from agency networks, CISA said.
CISA said Exchange servers are a primary target for hackers given the powerful privileges that Exchange manages by default as well as the amount of potentially sensitive information that’s stored in Exchange severs operated and hosted by (or on behalf of) federal agencies. There is widespread use of versions of Microsoft Exchange affected by this vulnerability across the Executive Branch, according to CISA.
“Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit,” CISA said.
The U.S. government carefully weighs the national security, public, and commercial interests in deciding to disclose a vulnerability, according to a statement Tuesday from Anne Neuberger, deputy national security advisor for cyber and emerging technologies. Neuberger said the U.S. government additionally recognizes when vulnerabilities may pose such a systemic risk that they require expedited disclosure.
“Should these vulnerabilities evolve into a major incident, we will manage the incident in partnership with the private sector, building on the Unified Coordination Group processes established and exercised in the recent Microsoft Exchange incident,” Neuberger said in her statement Tuesday.
The two vulnerabilities found by the NSA were assigned a severity rating of 9.8 out of 10, indicating their criticality. Customers using Exchange Online rather than on-premise Exchange Servers are already protected and don’t need to take any action, according to Microsoft.
“We have not seen the vulnerabilities used in attacks against our customers,” the Microsoft Security Response Center (MSRC) wrote in a blog Tuesday. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”
The Microsoft Exchange hacks first came into the public eye March 3, when the Redmond, Wash.-based software giant disclosed four vulnerabilities in on-premise versions of Exchange. Two days later, KrebsOnSecurity reported that Chinese hackers have taken advantage of the vulnerabilities to steal emails from at least 30,000 organizations across the United States.
ESET reported March 10 that at least 10 different advanced hacking groups had been taking advantage of the zero-day vulnerabilities. Multiple hacking groups gained access to the details of the vulnerabilities before Microsoft released its patch, meaning the possibility that they reverse engineered Microsoft updates can be discarded.
Microsoft is looking into whether a leak may have triggered mass Exchange server compromises ahead of its patch release, two sources with knowledge of Microsoft’s response told Bloomberg March 12. On Feb. 26, four days before Microsoft released its patches, attackers began infiltrating Microsoft Exchange en masse as if they knew their window was about to close, Proofpoint’s Ryan Kalember told Bloomberg.