CISA issues alert on mitigating active Microsoft Exchange server vulnerabilities

The Office for Civil Rights (OCR) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a March 3 alert to provide guidance pertaining to Microsoft Exchange server vulnerabilities.

The alert, which was updated March 5 to offer additional guidance, is intended to assist HIPAA covered entities (CE) and business associates (BA) in addressing serious threats to Microsoft Exchange servers. CISA partners have recently observed active exploitation of vulnerabilities in certain Microsoft Exchange products. Through these vulnerabilities, unauthorized parties can gain persistent system access, including access to files and mailboxes on the server and to credentials stored in the system.

As part of the alert, CISA provided tactics, techniques and procedures, and indicators of compromise associated with the malicious activity. Additionally, CISA included details about conducting forensic analysis to collect artifacts and perform triage in the event of an organization finding evidence of compromise. CISA recommends using processes and tools that minimize the alteration of the data being collected, as well as minimize the impact to the operating system. During data collection, data should be stored on removable or external media, CISA said.

Key artifacts for triage that should be collected include:

• All registry hives
• All web logs
• All Windows event logs
• Memory

All elements can be collected using a variety of open-source tools, which CISA lists in the alert.

To improve mitigation tactics, CISA recommends that organizations read Microsoft’s advisory and security blog post for more information on spotting potential malicious activity and applying critical patches.