CISA: U.S. agencies must scan for Exchange Server attacks

The U.S. Cybersecurity and Infrastructure Security Agency released new guidance for federal organizations that use on-premises Exchange servers, requiring that they run two Microsoft scanning tools to check for compromise.

On Wednesday, CISA added a new section in its emergency directive for U.S. government agencies that use on-premises Microsoft Exchange servers and are impacted by the widely exploited zero-day vulnerabilities disclosed on March 2. While the initial directive, released by CISA on March 3, instructed agencies on patching and mitigations, the new supplemental direction focuses on triage and improving security posture.

By noon Eastern Daylight Time (EDT) on April 5, agencies must run the latest version of Microsoft Support Emergency Response Tool (MSERT), which scans for malicious web shells, and the Test-ProxyLogon.ps1 script, which detects indicators of compromise in these attacks, before reporting the results to CISA.

Microsoft released the free tools last month to assist organizations with response and investigations. Numerous threat actors have exploited the Exchange Server vulnerabilities and deployed web shells in Exchange environments that grant them unauthorized access even after the vulnerabilities have been patched.

SearchSecurity asked Microsoft how many times the two tools have been downloaded and utilized, but the company declined to comment.

By noon EDT on June 28, agencies must implement various hardening requirements for their on-premises servers, including adding a firewall, ensuring all software is fully updated and supported, using antimalware, reviewing access permissions, ensuring logs are stored for 180 days and validating that "their on-premises Exchange servers are visible to CDM information security continuous monitoring capabilities, where possible."

Regarding access management, the directive noted that "Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors."

While SolarWinds was notable in part due to its impact on the U.S. government (CISA released a directive for those attacks as well), no federal agency has yet confirmed a breach against any of its on-premises Exchange servers. However, local governments have reportedly been impacted.

SearchSecurity asked CISA whether any evidence of compromise has been found on servers used by federal agencies, but the agency did not respond at press time.

In the month since disclosure, the story surrounding the Exchange Server attacks resulting from ProxyLogon and related vulnerabilities has expanded greatly.

Tens of thousands of servers are still vulnerable, according to the latest reports, and last week Kryptos Logic said that there were more than 100,000 active web shells discovered on Exchange servers. Moreover, at least two different types of ransomware have been utilized against victims.

Alexander Culafi is a writer, journalist and podcaster based in Boston.