The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has released supplemental directions to help agencies root out and mitigate vulnerabilities in their Microsoft Exchange on-premises products.
CISA previously released an emergency directive (ED 21-02) March 3 with a critical patch. The new March 31 supplemental directions require agencies running these products to perform additional forensic triage and include server hardening requirements and reporting requirements for agencies running these products.
“Although federal agencies successfully responded to ED 21-02, which included initial efforts to forensically triage and rapidly update Microsoft Exchange servers hosted in the federal enterprise, CISA is directing additional actions to identify compromises that may remain undetected,” the directions say.
The Microsoft Exchange intrusions, along with the SolarWinds Orion hack, are part of the ongoing “Sunburst” cyber-espionage campaign. The response to the supply chain vulnerabilities has led to a Federal partnership with private sector firms to combat the hack and calls for more resources.
The supplemental instructions require agencies running the Microsoft Exchange on-premises products to perform forensic triage by running a scan by April 5 – and one every week for the next four weeks – as well as perform another test to help identify any signs of proxy log-on compromises.
The server hardening requirements include directing agencies to put a firewall between Microsoft Exchange servers and the internet, and deploy security and other updates to software within 48 hours of update releases. In addition, agencies must review account permissions and roles on Exchange, review membership in highly privileged and sensitive groups, “strictly adhere to the principle of least privilege”, and make sure no one with admin privileges on Microsoft Exchange has admin privileges on Microsoft Office 365.
Agencies are required to report the results of the scans, if no attacker activity is found, by April 5, and the status of server hardening efforts by June 28. Any additional compromises must be reported to CISA immediately.