N.C. Joint Cybersecurity Task Force Microsoft Exchange Impact Incident Management

The page from the N.C. Joint Cybersecurity Task Force contains the latest information and resources regarding the Microsoft Exchange compromise for North Carolina state agencies, local governments, academic institutions and private sector entities.

Reporting Exposures or Compromises

If your organization is exposed and/or compromised and needs further assistance with recommended industry best practices, please contact the N.C. Joint Cybersecurity Task Force at reportspam@ncem.org.


Microsoft Exchange Incident Management Questionnaire

The task force is asking state, local and academic entities to complete a short questionnaire to help it assess the state’s security posture. Information shared as part of this process will be protected from public disclosure under N.C. G.S. 132-6.1(c). 

Complete Questionnaire


Tab/Accordion Items

Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution and reconnaissance for endpoint security solutions.

On March 2, 2021, Microsoft released a blogpost that detailed multiple zero-day vulnerabilities used to attack on-premise versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 

Microsoft attributed the original compromise to a Chinese state-sponsored threat actor HAFNIUM. However, since the exploits became publicly available in early March, there have been at least 10 threat groups exploiting the vulnerabilities according to the cybersecurity company ESET. 

Based on ESET's telemetry, web shells have already been deployed on over 5,000 unique Exchange Servers from over 115 countries. FireEye currently tracks this activity in three clusters: UNC2639, UNC2640, and UNC2643. They anticipate additional clusters as they respond to intrusions.

It is recommended to follow Microsoft’s guidance and patch Exchange Servers immediately to mitigate this activity. 

Patched Exchange server has been patched.
Exposed Exchange server has not been patched and is vulnerable, but no IOCs have been identified on the network.
Compromised IOCs associated with the vulnerability have been observed in the network.
Threat Hunting Threat hunting is the act of searching a network to determine if a compromise has occurred.
Remediated Exchange server has been patched and threat hunting has been completed. If a compromise was identified, the system has been cleared