14 DAY TRIAL // U.S. government agencies are being told by CISA to update their Microsoft software as soon as possible, warning of security vulnerabilities in Microsoft Exchange that require additional hardening.
Microsoft itself acknowledged recently that security flaws in Microsoft Exchange Server have been exploited by a group called Hafnium and believed to be based in China.
Microsoft explained that state-sponsored hackers used previously unknown exploits to target on-premises Exchange Server, with the company rolling out several mitigations and even reaching out to the U.S. government on the matter.
CISA details a series of hardening requirements that need to be implemented on government computers by the end of June.
“Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity. For all hosted Microsoft Exchange servers, agencies must implement the following hardening requirements by 12:00 pm Eastern Daylight Time on Monday, June 28, 2021,” a notification reads.
Hardening requirements
The hardening requirements include firewall settings, software updates, and anti-malware protection that must use signatures “not older than 24 hours.”
“Microsoft Exchange servers must be provisioned with a firewall between the server and the internet. a. The firewall must enforce deny by default, allow by exception rules. b. To the maximum extent technically possible, RFC compliance must be enabled for allowed protocols on the firewall. c. Agencies must report and note the reason for any allowed protocol for which RFC compliance is not enabled,” the organization notes.
Microsoft warns that Hafnium, the group behind the Exchange attacks, typically goes after targets in the United States, using virtual private servers based in America. It’s mostly launching cyberattacks against law firms, defense contractors, infectious disease researchers, and NGOs, it said.