Microsoft Exchange server vulnerabilities threaten county cybersecurity

Key Takeaways

Government agencies and businesses in the United States that use an on-premises Microsoft email service have been compromised in an aggressive hacking campaign that was likely sponsored by the Chinese government, according to Microsoft, and should immediately patch their systems and look for evidence of network compromise.

The number of victims is estimated to be in the tens of thousands and could rise, according to security experts, as the investigation into the breach continues.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) became aware of this in early March and is working closely with Microsoft and other partners to get the word out to local governments.

NACo received additional communications from the White House on March 9, saying as follows:

The Microsoft Exchange Server vulnerability is a significant threat that is poised to grow exponentially. When this happens, it will disproportionately hit state, local, and tribal governments; small and medium sized businesses; and school systems and academic institutions.  As bad as it may seem now, the attacks are still limited to a small set of bad actors.  That is about to change, because now that the patch is out, criminals and other actors will soon be able to copy the attack and will almost certainly use it to deploy ransomware and other destructive attacks on a massive scale.  We have a very short window – measured in days, not weeks – to get every vulnerable organization to protect their servers. Organizations also need to look to see if they’re already compromised – patching will protect you against future attacks but won’t kick out an attacker who is already on your system.  Every server that is patched is one less target for the criminals.

Learn More

Contact CISA for any questions or to report an incident regarding this vulnerability

Contact Rita Reynolds, NACo CIO, for additional information

According to CISA, the seriousness of this vulnerability cannot be overstated; the exploitation of it is widespread and indiscriminate. The exploitation of this vulnerability permits an adversary to compromise identity and trust in your network, which is likely to persist even after patching Microsoft Exchange. Please immediately speak with your IT officials to determine what steps your organization has taken, and if your organization does not have the technical capability to verify network integrity, please consider engaging a third party to assist you as soon as possible.

Counties using Microsoft Exchange on-premise products should immediately:

• Patch Microsoft Exchange with the vendor released patches.
• If unable to patch immediately or remove the Microsoft Exchange from the network immediately, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations. This should not be taken as an adequate solution for patching.
• Check for signs of compromise.
• If evidence of compromise is found, assume that your organization’s network identity has been compromised and begin incident response procedures.

Additional key points for counties:

• If you are in a hybrid situation (where you also still have an on-premise exchange server), patching and remediation steps still need to be taken.
• If your county information technology is not centralized under one department, ensure that other agencies or entities you are connected with have taken remediation steps.
• If you or your IT department have applied the patches, you MUST still check for indicators of compromise. The March 6 alert provides additional information on how to check for compromise.
• If you believe that your county is secure because you do not use the Microsoft on-premise product, you are highly encouraged to share this with other agencies and organizations that you conduct business with, as they may use the Microsoft products.

Below are some resources from Microsoft and CISA to help you.  These are being regularly updated so please check back often at cisa.gov/ed2102,

• CVE-2021-27065 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability
• Multiple Security Updates Released for Exchange Server – updated March 8, 2021 – Microsoft Security Response Center
• HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security
• Remediating Microsoft Exchange Vulnerabilities | CISA
• Detect and Prevent Web Shell Malware