We've been tracking various US-CERT and CISA alerts for years, and this is some of the most urgent language we've seen used.
The Cybersecurity and Infrastructure Security Agency issued a special bulletin on the evening of March 8, titled, CISA Strongly Urges All Organizations to Immediately Address Microsoft Exchange Vulnerabilities.
It then goes on to say the following:
"As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises organizations follow the guidance laid out in the web page. The guidance provides specific steps for both leaders and IT security staff and is applicable for all sizes of organizations across all sectors."
In other words, these vulnerabilities sound as ubiquitous as Microsoft Exchange itself.
[RELATED: Emergency Directive: New Attacks Against Exchange Servers]
CISA is now delivering advice on remediating the vulnerabilities, with part of the message specifically crafted for business and security leaders and another section crafted for security teams.
Let's take a look at both of these.
This part of the CISA alert is concise and clear, and explains the "why" behind concern over this cyberattack scenario. And again, listen for the urgency in this message.
"An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:
Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed."
The CISA wording to security teams is also urgent and includes mitigation steps for cybersecurity professionals.
As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises all system owners complete the following steps:
If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
And CISA added a special note at the end of this alert:
"Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment."
It's amazing to think how quickly bulletins, updates, and patches have emerged around this collection of 2021 Microsoft Exchange vulnerabilities. Here is the timeline so far:
"The FBI is aware of Microsoft's emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the APT actor known by Microsoft as HAFNIUM. The FBI is working closely with our interagency and private sector partners to understand the scope of the threat. Network owners should immediately patch their systems.
Help us respond to victims and hold those responsible accountable. If your Exchange Server from Microsoft has been compromised, please contact your local FBI field office."
This likely speaks to the serious and widespread nature of these particular vulnerabilities. We'll let you know when there is more news to share.