On March 10, 2021, CISA and the FBI (Federal Bureau of Investigation), released a Joint Cybersecurity Advisory (CSA) regarding the disclosed Microsoft Exchange Server vulnerabilities. This compromise makes it possible for cyber threat actors to take advantage of those vulnerabilities to steal data, cripple networks, deploy ransomware and more. “The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework.”
The advisory outlines that the exploitation of the on-premises Microsoft Exchange products could pose a serious risk to sensitive and critical data including “valuable research, technology, and personally identifiable information (PII).” Exploitation would be far-reaching and affects Federal Civilian Executive branch agencies as well as private companies and institutions impacting thousands of systems across the U.S.
The CSA provides a summary of the MITRE ATT&CK techniques that have been observed to date ranging from, but not limited to, initial access to command & control. Any organization that detects any activity related to the Microsoft Exchange Server compromise is advised to take the following actions per mitigation Alert (AA21-062A):
- Collect all associated data. This includes all log files, memory, and registry hives. If no indications of compromise are found, organization should apply Microsoft patches immediately.
- If compromise is detected a thorough forensic analysis of all data needs to be conducted. All infected on-premises servers should be disconnected immediately, and all threat actor-controlled accounts should be removed. Microsoft released an updated IOC (indicators of compromise) Detection tool that scans log files for indications of compromise.
- Report all suspicious, threatening activity to CISA and the FBI.
See detailed CISA remediation recommendations for Microsoft Exchange Server vulnerabilities here.
SecuLore Solutions provides continuous layer two monitoring of all network traffic by deploying a Paladin™ device to passively capture all traffic traversing the monitored network. The raw packets are captured and stored locally on the device for up to a week to provide full forensic captures of all traffic. Simultaneously the Paladin processes the data and sends the meta-data back to the 24x7x365 SOC (Security Operations Center). The data is processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team