HAFNIUM Actively Exploiting Exchange Server Vulnerabilities: Microsoft Issues Patches and CISA Issues Executive Order to Mitigate Flaws; More SolarWinds Malware Discovered

Note this only applies to on-premise Exchange servers, Microsoft 365, aka Exchange Online, is not impacted. The vulnerabilities being exploited are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. While not vulnerable, the update includes patches for Microsoft Exchange Server 2010 for defense in depth; in other words patch all versions of Exchange from 2010 forward. While a migration to MS 365 may on your strategic roadmap, that migration takes significant time, planning and orchestration, and can be disruptive. Accelerating that plan, or initiating one from scratch, is not an effective alternative to patching these vulnerabilities. Patch first then resume your migration as planned.

Lee Neely

Because this is being actively exploited, Federal agencies are expected (per ED 21-02 below) to forensically image systems and check for indicators of compromise or anomalous behavior, disconnecting exchange servers if indications of compromise are found until further notice. This applies to all Exchange systems, unclassified and classified. Systems without indicators of compromise are expected to be patched immediately. If you don’t have the capability to perform the requested actions, CISA will provide technical assistance.

Lee Neely

Microsoft’s mitigation guidance says “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”  Well architected, segmented and maintained DMZs and remote access capabilities should be doing this in addition to being patched quickly. All too often, however, they are not. I assume this is one reason why Microsoft says, “Exchange Online is not affected.” The other is issue is how slowly enterprises deploy patches vs. how quickly the patches are applied to the cloud services they consume.

John Pescatore

Assume that attackers are actively scanning the Internet looking for exposed Exchange services such as OWA to exploit. Patch Internet accessible Exchange services first, and even if your other Exchange services are not exposed to the internet, make sure to update them as well. Use the latest version of the Microsoft Exchange Server Health Check script to see if your Exchange server updates are current. https://aka.ms/ExchangeHealthChecker

Lee Neely

Qualys not only applied the updates to the FTA server, but also enabled additional monitoring and alerting. Even so, they fell victim to a zero-day. The FTA appliances are unsupported, and even so, Accellion is working to resolve deficiencies in the FTA appliance to aid transition to new solutions. These activities have rendered the FTA appliance a target of opportunity, meaning you need to accelerate your migration. If you decide to take your FTA appliance offline immediately, make sure to provide guidance and implement monitoring for work-arounds or other Shadow-IT solutions.

Lee Neely

All enterprises using this flawed product should be looking for indicators of compromise, keeping in mind that "the absence of evidence is not evidence of absence."

William Hugh Murray

Healthcare organizations have been a big fat target this last year and this resource is a boon to those working to improve their security. The organization of advice by IT roles as well as groupings by the five stages in the NIST framework make it really easy to find relevant guidance. Resources include not only direct links to reference standards but also explanations and supporting references to aid understanding. Even if you think you’re good to go, peruse the references on the MITRE site below for ideas to shore up your existing plans.

Lee Neely

While tools specialized to the purpose and environment are welcome, it is the lack of timely application of tools, not a shortage of them that is the issue.

William Hugh Murray

The PDNS selection guide provides a comparison of PDNS providers to aid selection. PDNS provides a layer of protection beyond DNSSEC and DOH to classify upstream responses as Phishing, Malware, Algorithmically Generated as well as other categories to aid content filtering (e.g., porn, gambling). Note that PDNS will not help sites directly access via a local host table or use of the IP Address.

Lee Neely

Include cyber security provisions in all contracts where your information will be processed or exchanged. While obvious when selecting a cloud service or IT outsource, it also must be considered for other activities such as forwarding designs for external fabrication. Be sure to include requirements flow down, protection, storage as well as contract termination/data recovery along with your right to audit/verify.

Lee Neely