N.C. Joint Cybersecurity Task Force Microsoft Exchange Impact Incident Management
The page from the N.C. Joint Cybersecurity Task Force contains the latest information and resources regarding the Microsoft Exchange compromise for North Carolina state agencies, local governments, academic institutions and private sector entities.
Reporting Exposures or Compromises
If your organization is exposed and/or compromised and needs further assistance with recommended industry best practices, please contact the N.C. Joint Cybersecurity Task Force at reportspam@ncem.org.
Microsoft Exchange Incident Management Questionnaire
The task force is asking state, local and academic entities to complete a short questionnaire to help it assess the state’s security posture. Information shared as part of this process will be protected from public disclosure under N.C. G.S. 132-6.1(c).
N.C. Joint Cyber Security Task Force Bulletins & Alerts
- Microsoft Exchange Server Vulnerability Guidance (March 12, 2021)
Other Bulletins & Alerts
- CISA Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities
- U.S. Department of Homeland Security Emergency Directive 21-02
- Microsoft Security Response Center: Microsoft Exchange Server Vulnerabilities Mitigations
- Microsoft: (Guidance for Responders: Investigating & Remediating On-Premise Exchange Server Vulnerabilities (March 16, 2021)
- Microsoft Tech Community: Exchange Server Security Updates for Older Cumulative Updates of Exchange Server (March 8, 2021)
- FireEye: Detection & Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities (March 4, 2021)
- Microsoft: HAFNIUM Targeting Exchange Servers with Zero-Day Exploits (March 2, 2021)
- Volexity: Operation Exchange Marauder (March 2, 2021)
CVEs
IOCs
- Microsoft CSS-Exchange Security
- IOCs in STIX Format
- Microsoft Safety Scanner
- MSTICIOCs Exchange Server Vulnerabilities
Other Tools & Resources
Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution and reconnaissance for endpoint security solutions.
On March 2, 2021, Microsoft released a blogpost that detailed multiple zero-day vulnerabilities used to attack on-premise versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065
Microsoft attributed the original compromise to a Chinese state-sponsored threat actor HAFNIUM. However, since the exploits became publicly available in early March, there have been at least 10 threat groups exploiting the vulnerabilities according to the cybersecurity company ESET.
Based on ESET's telemetry, web shells have already been deployed on over 5,000 unique Exchange Servers from over 115 countries. FireEye currently tracks this activity in three clusters: UNC2639, UNC2640, and UNC2643. They anticipate additional clusters as they respond to intrusions.
It is recommended to follow Microsoft’s guidance and patch Exchange Servers immediately to mitigate this activity.
| Patched | Exchange server has been patched. |
|---|---|
| Exposed | Exchange server has not been patched and is vulnerable, but no IOCs have been identified on the network. |
| Compromised | IOCs associated with the vulnerability have been observed in the network. |
| Threat Hunting | Threat hunting is the act of searching a network to determine if a compromise has occurred. |
| Remediated | Exchange server has been patched and threat hunting has been completed. If a compromise was identified, the system has been cleared |