DHS CISA requires federal agencies to assess their Microsoft Exchange servers by April 5

The DHS CISA has issued a supplemental directive that requires all federal agencies to identify vulnerable Microsoft Exchange servers in their infrastructure within five days.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a supplemental directive requiring all federal agencies to identify Microsoft Exchange servers in their environments impacted by ProxyLogon flaws within five days and take the necessary steps to secure them.

The new directive demands agencies to accelerate the mitigation process and extends the Emergency Directive 21-02 issued by the DHS agency on March 3, 2021.

The response of the federal agencies was proactive, anyway, the Supplemental Direction to the directive also aims at identifying possible compromises that were previously undetected.

“Although federal agencies successfully responded to ED 21-02, which included initial efforts to forensically triage and rapidly update Microsoft Exchange servers hosted in the federal enterprise, CISA is directing additional actions to identify compromises that may remain undetected. Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised.” reads the Supplemental Direction issued by CISA. “CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening.”

“Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening,”

CISA required federal agencies to download the latest version of Microsoft Safety Scanner (MSERT) and scan their infrastructure by 12:00 pm Eastern Daylight Time on Monday, April 5, 2021. The agency also asks the federal agencies to report to CISA the results of the scans.

The scan process should be performed weekly for the following four weeks and federal agencies are invited to report any evidence of potential compromise.

“By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template.” continues CISA. “Weekly, for four weeks after the first scan, download and run the latest version of MSERT and only report to CISA findings that may indicate compromise, per incident reporting instructions below (unlike the initial reporting requirement for the first scan, negative results for these weekly recurring scans do not need to be reported).

“MSERT only scans when manually triggered and it is updated frequently. Agencies must download the latest version of this tool before each scan. Running MSERT in Full Scan mode may cause server resource utilization to peak. Accordingly, CISA recommends agencies run the tool during off-peak hours.”

CISA invites federal agencies to perform full scan during off-peak hours to avoid impacting their operations.

The federal agencies are also required to download and run the Test-ProxyLogon.ps1 script by April 5 to detect ongoing attacks through the analysis of the Exchange and IIS logs. The results provided by the tools have to be shared with CISA experts.

“By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity. Report results to CISA using the provided reporting template.” continues the advisory.

“This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065. This script is intended to be run via an elevated Exchange Management Shell. If the script does not identify attacker activity, it outputs the message “Nothing suspicious detected.” If attacker activity is identified, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory.”

The advisory also provided “Hardening Requirements” to the federal agencies that have to be implemented by 12:00 pm Eastern Daylight Time on Monday, June 28, 2021. These Hardening Requirements include firewalls, installation of software updates, anti-malware protection, Security Operation Centers (SOC), installation of software supported by the manufacturer, and application of the principle of least privilege.

Agencies that participate in the Continuous Diagnostics and Mitigation (CDM) program must validate that their on-premises Exchange servers are visible to CDM information security continuous monitoring capabilities, where possible.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]