CISA cybersecurity emergency directive alert

The Cybersecurity and Infrastructure Security Agency (CISA) has identified a serious threat in unpatched Microsoft Exchange servers to businesses, local governments, and infrastructure managers and has requested our assistance in sharing information about that threat and mitigating steps in its emergency directive. The seriousness of this vulnerability cannot be overstated; the exploitation of it is widespread and is indiscriminate.

Please share this information with your IT staff and/or vendor partners as soon as possible.

This vulnerability is already being actively exploited in many thousands of systems and could allow criminal actors to engage in acts threatening to continuity of operations, such as ransomware, even after patching Microsoft Exchange. Please immediately speak with your IT officials to determine what steps your organization has taken, and if your organization does not have the technical capability to verify network integrity, please consider bringing in a third party to assist you as soon as possible.

Any organization using Microsoft Exchange on-premise products needs to immediately:

• Check for signs of compromise;
• If evidence of compromise is found, assume that your organization’s network identity has been compromised and begin incident response procedures;
• Patch Microsoft Exchange servers with the vendor released patches;
• If unable to patch immediately or remove the Microsoft Exchange servers from the network immediately, CISA strongly recommends following alternative mitigations found in Microsoft’s blog on Exchange Server vulnerabilities mitigation. This should not be taken as an adequate solution for patching.

Response to indicators of compromise are essential to eradicate adversaries already on your network and must be accomplished in conjunction with measures to secure the Microsoft Exchange environment. Patching an already compromised system will not be sufficient to mitigate this situation; therefore, CISA strongly encourages partners to immediately disconnect any Microsoft Exchange servers suspected of being compromised.

CISA resources:

• Information and updates about this threat and the emergency directive
• Simple one-pager for use by both nontechnical city leaders and IT teams
• Remediating Microsoft Exchange vulnerabilities
• CISA cyber resource hub

Please contact CISA for any questions or to report an incident regarding this vulnerability at central@cisa.gov.