CISA Publishes Mitigation Techniques Against Exchange Server Attacks

In response to the recent targeting of critical infrastructure in the US and abroad, the Cybersecurity and Infrastructure Security Agency (CISA) urges network and security administrators to prepare and immediately mitigate potential cyber threats with the following measures.

Implement and apply backup and recovery policies and procedures:

• Maintain offline backups of data
• Regularly test backup and restoration
• Ensure all backup data is encrypted and covers the entire organization’s data infrastructure
• Consider activating BitLocker on all networks and securely back up BitLocker keys with Microsoft
• Create, maintain, and exercise a cyber incident response plan that includes response procedures for a ransom incident
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location

Patch and Update Systems:

• Install updates and patch server operating systems as soon as updates/patches are released
•  Regularly check software updates and end-of-life notifications
•  Consider implementing a centralized patch management system to automate and expedite the process
• Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.

See: Microsoft Exchange Server Build Numbers and Release Dates for Service Pack (SP), Cumulative Update (CU), Security Update (SU), or Update Rollup (RU) of the specific Exchange releases.

Evaluate and Update Blocklists and Allowlists

IP allowlists and IP blocklists provide additional security by filtering messages from specific IP server addresses. Supplementary measures, configure secure messaging frameworks like the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain Message Authentication Reporting (DMARC) to help eliminate sources of illegitimate and potential malicious content in messages.

Implement Network Segmentation

Network Segmentation separates critical network elements from the internet and other less sensitive networks and restricts a malicious threat actor’s lateral movement.

Secure User Accounts

• Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties
• Require administrator credentials to install software

Implement Multifactor Authentication

Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.

Use Strong Passwords

Implement password best practices. Require all accounts with password logins to have strong, unique passwords. See CISA Tip Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.

Secure and Monitor RDP and other Potentially Risky Services

• If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices
• Disable unused remote access/RDP ports
• Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts

Use Antivirus Programs

Install and regularly update antivirus and anti-malware software on all hosts.

Validate Security Controls

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. CISA recommends testing your existing security controls to assess how they perform against the ATT&CK techniques described in this advisory.

Follow the link for additional ways to secure Microsoft Exchange Servers