The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a supplemental direction to Emergency Directive (ED) 21-02, which lays out hardening, forensic triage and reporting requirements designed to mitigate vulnerabilities found in the wake of the massive Microsoft Exchange vulnerability hacks that have affected tens of thousands of organizations.
The update directs federal departments and agencies to run newly developed tools to investigate whether their Microsoft Exchange servers have been compromised: Microsoft’s Test-ProxyLogon.ps1 script and Safety Scanner MSERT. Agencies must also ensure their exchange servers are provisioned with a firewall, fully updated, supported by Microsoft, and safeguarded by anti-malware programs, among other listed protections.
Although ED 21-02 mainly applies to federal civilian executive branch agencies, CISA encourages state and local governments, critical infrastructure companies and other private-sector organizations to review the notice and consult the following resources for additional information:
- CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
- CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities
- CISA web page: Remediating Microsoft Exchange Vulnerabilities
- Microsoft’s EOMT.ps1 blog post
“If there ever was a question of the impact and risk associated with these vulnerabilities, it should clearly be answered now,” said Tim Wade, technical director of the CTO Team at Vectra. “CISA has instructed organizations with insufficient cybersecurity expertise to fully disconnect their on-premises Exchange infrastructure until such a time as instructions for rebuilding and reprovisioning are provided. Given the importance of email for modern business, these directives indicate that there are organizations that may be implicitly instructed to stand down from the full execution of their primary function unless and until remediation occurs.”