The US Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a joint advisory urging organizations to take steps towards mitigating the recent Microsoft Exchange ‘ProxyLogon’ vulnerabilities.
Soon after Microsoft disclosed the existence of several chainable vulnerabilities in its Exchange products, CISA published granular guidelines that IT administrators could follow to detect potential intrusions. Microsoft, for its part, urged affected organizations to quickly patch their Exchange deployments, as attackers were already exploiting the flaws.
Now CISA and the FBI have joined forces to again press affected parties to review all available information so they can detect, protect against, and remediate this malicious activity.
“CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack,” according to the notice up on us-cert.cisa.gov.
“CISA recommends organizations to review Joint CSA: AA-21-069 Compromise of Microsoft Exchange Server as well as the CISA Remediating Microsoft Exchange Vulnerabilities web page for guidance on detecting, protecting against, and remediating this malicious activity,” the agency notes.
The move follows the release of a proof-of-concept (PoC) for exploiting the vulnerabilities in question. The ‘ProxyLogon’ PoC combines the CVE-2021–26855 and CVE-2021–27065 vulnerabilities to authenticate on an Exchange server and run malicious code. Several security researchers have confirmed the PoC’s validity.
CVE-2021-26855 is a vulnerability on Microsoft Exchange Server that lets an attacker bypass authentication and impersonate the admin. Chained with another post-authentication arbitrary-file-write vulnerability – CVE-2021-27065 – the vulnerability can allow an attacker to perform remote code execution.
Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server, all tied to the ProxyLogon chainable attack scenario. The maker of Windows has also released a script that scans Exchange log files for indicators of compromise.
CISA recommends organizations examine their systems for the tactics, techniques and procedures described in its extensive library of resources documenting the flaws, and use the IOCs to detect any malicious activity.
“If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures,” CISA says.