Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities as described in the Activity Alert.
RAPID RECOVERY POWERSHELL REQUIREMENTS WINDOWS
After identifying all instances of on-premises Microsoft Exchange Servers in the environment, agencies that have the expertise shall forensically triage artifacts using collection tools (see CISA’s Activity Alert for examples) to collect system memory, system web logs, windows event logs, and all registry hives.According to Microsoft and security researchers, the following vulnerabilities are related yet not known to be exploited: CVE-2021-26412, CVE-2021-26854, CVE-2021-27078.
RAPID RECOVERY POWERSHELL REQUIREMENTS SOFTWARE
This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.Ĭurrently, the vulnerabilities related to this known exploitation activity include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.ĬISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.
§ 3553(d), (e)(2), (e)(3), (h)(1)(B).ĬISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. § 655(3).įederal agencies are required to comply with these directives. Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-02, “ Mitigate Microsoft Exchange On-Premises Product Vulnerabilities”. MaMitigate Microsoft Exchange On-Premises Product Vulnerabilities See supplemental direction v1 issued on March 31, 2021.
See supplemental direction v2 issued on Apfor the latest.