The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 today requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday. It also requires agencies who are currently able to do so to collect forensic images. All agencies are also required to search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities. The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities. CISA also issued an activity alert to provide additional information and to encourage other public and private sector organizations to take steps to protect their networks.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales. “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
ED 21-02 reflects CISA’s determination that exploitations that pose an unacceptable risk to the federal civilian executive branch agencies require emergency action. CISA made this assessment on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.
CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon. Cloud services such as Microsoft 365 and Azure systems are not known to be affected by this vulnerability.