Original release date: March 10, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.

The CSA places the malicious cyber actor activity observed in the current Microsoft Exchange Server compromise into the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework.

CISA recommends organizations to review Joint CSA: AA-21-069 Compromise of Microsoft Exchange Server as well as the CISA Remediating Microsoft Exchange Vulnerabilities web page for guidance on detecting, protecting against, and remediating this malicious activity.

Original release date: March 10, 2021

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s March 2021 Security Update Summary
and Deployment Information and apply the necessary updates.

Original release date: March 9, 2021

Since December 2020, CISA has been responding to a significant cybersecurity incident involving an advanced persistent threat (APT) actor targeting networks of multiple U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor added malicious code to multiple versions of the SolarWinds Orion platform and leveraged it—as well as other techniques, including—for initial access to enterprise networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. CISA has published two new resources on the follow-on activity from this compromise:

• The Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page to provide actionable guidance to organizations affected by this APT activity. Although the guidance on the web page is directed to federal departments and agencies, CISA encourages affected critical infrastructure and private sector organizations to review and apply it, as appropriate.
• The CISA Insights: SolarWinds and Active Directory/M365 Compromise: Risk Decisions for Leaders supports executive leaders of affected organizations in understanding the threat, risk, and associated actions they should take in response to the APT activity. The CISA Insights specifically applies to organizations with affected versions of SolarWinds Orion who have evidence of follow-on threat actor activity.

CISA encourages affected organizations to review and apply the necessary guidance in the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page and CISA Insights. For general information on CISA’s response to SolarWinds Orion compromise activity, refer to www.cisa.gov/supply-chain-compromise.

Original release date: March 9, 2021

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

• Safari 14.0.3 (v.14610.4.3.1.7 and 15610.4.3.1.7)
• macOS Big Sur 11.2.3
• watchOS 7.3.2
• iOS 14.4.1 and iPadOS 14.4.1

Original release date: March 6, 2021

Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021.

CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script—as soon as possible—to help determine whether their systems are compromised. For additional information on the script, see Microsoft’s blog HAFNIUM targeting Exchange Servers with 0-day exploits.

For more information about these vulnerabilities and how to defend against their exploitation, see:

• Microsoft Advisory: Multiple Security Updates Released for Exchange Server
• Microsoft Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
• Microsoft GitHub Repository: CSS-Exchange
• CISA Alert: Mitigate Microsoft Exchange Server Vulnerabilities
• CISA Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities