A joint advisory from the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warns of potential follow-on attacks to the recent hacking incident against vulnerable Microsoft Exchange email servers, Breaking Defense reported.
Noting that the number of Exchange hacks attempted and accomplished have not been decreasing, the agencies and other security firms say more threat actors are likely to attack the servers, ranging from cybercriminals to actors sanctioned by nation-states.
A recent report by security firm ESET identified “at least 10” threat actor organizations attacking Exchange servers with zero-day exploits and web shells. The advisory says the attacks could take the form of ransomware deployed by cybercriminals or more destructive actions such as data wiping, which are more likely to be performed by nation-states.
The advisory recommends an immediate forensic triage of all on-site Exchange servers to search for signs of compromise, and to perform a step-by-step procedure supplied by the agency if the organization has in-house forensic capabilities. Those without in-house forensics expertise and which have discovered signs of compromise are advised to disconnect their Microsoft Exchange on-premises servers and inform the FBI or CISA.