The New York State Department of Financial Services (NYSDFS) issued an industry letter to its regulated entities following a discovery of cybersecurity vulnerabilities in Microsoft Exchange Server.
The industry letter states, “In recent days, thousands of organizations were comprised via zero-day vulnerabilities in Microsoft Exchange Server. On March 2, 2021, Microsoft made patches available for these vulnerabilities but many organizations were compromised either before the patches were available or before the patches were applied.”
The four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later and appear to host web versions of Microsoft’s email program on their own machines instead of cloud providers. That day it also released several security updates for vulnerabilities affecting the on-premises versions of the Microsoft Exchange Server.
“Microsoft stated that these exploits ‘require[] the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections or by setting up a VPN to separate the exchange server from external access.’ The other vulnerabilities that were also fixed in the March 2nd updates were CVE-2021-26412, CVE-2021-26854, and CVE-2021-27078 and, according to Microsoft, are ‘not related to known attacks,’” the letter stated.
NYSDFS urged regulated entities with vulnerable Microsoft Exchange services to patch or disconnect vulnerable servers. It also urged them to use tools provided by Microsoft to identify and remediate any compromise exploiting the zero-day vulnerabilities.
It noted the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-02 which recommended immediately patching the vulnerabilities and preserving forensic of the cyber event.
“CISA reported that the threat actors deployed web shells on the compromised servers to establish persistent access to the victims network,” the letter stated. “Web shells can allow attackers to steal data and perform additional malicious actions, installing the patches alone will not remove malicious web shells that were deployed before patching. We therefore recommend carefully considering the steps proposed in the CICA Emergency Directive to identify exploited servers and find web shells.
“Regulated entities should immediately assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact,” the letter continued. “The assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by critical third parties. Regulated entities should also continue to track developments in this compromise and respond quickly to new information.”