ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

• See Supplemental Direction v2 below issued on April 13, 2021 for the latest.
• See Supplemental Direction v1 below issued on March 31, 2021.

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 21-02, “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities”.

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2)

Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3).

Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v)

These directives do not apply to statutorily-defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

Background

CISA partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

CISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.

Currently, the vulnerabilities related to this known exploitation activity include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065. According to Microsoft and security researchers, the following vulnerabilities are related yet not known to be exploited: CVE-2021-26412, CVE-2021-26854, CVE-2021-27078.

Required Actions

1. After identifying all instances of on-premises Microsoft Exchange Servers in the environment, agencies that have the expertise shall forensically triage artifacts using collection tools (see CISA’s Activity Alert for examples) to collect system memory, system web logs, windows event logs, and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities as described in the Activity Alert. If there is anomalous behavior or an indication of compromise detected, proceed to Action 2.

If no indications of compromise have been found, agencies must immediately apply Microsoft patches for Microsoft Exchange servers and proceed to Action 5.

If an agency does not have the expertise to forensically triage its systems, it should proceed to Action 3.

2. Agencies that have the expertise to take the following steps immediately must do so before proceeding to Action 3. Agencies shall examine artifacts collected in this step for indications of compromise or anomalous behavior, such as credential dumping, lateral movement, persistence mechanisms and other follow on exploitation activity. Agencies without this expertise shall proceed to Action 3.
   1. Forensically image system memory or, for virtual hosts, make a copy of the Virtual Memory (VMEM) to external storage for analysis.
   2. If a live forensic disk image can be acquired, follow Agency procedures to acquire the live system disk image.
   3. If a live forensic disk image cannot be acquired, pause all instances of systems (virtual machines) running Outlook on the Web a.k.a. Outlook Web Access/App (collectively OWA) or Exchange Control Panel (ECP).
   4. Conduct forensic analysis of the system memory and disk image to look for IOCs provided in CISA Activity Alert
   5. Analyze stored network traffic and metadata for indications of compromise provided in CISA Activity Alert, or suspicious connections.
   6. Hunt the network and systems for additional indications of compromise, which will be provided in CISA Activity Alert.

3. Agencies that have identified indications of compromise in Action 1, or did not have the expertise to conduct Action 1 or 2, shall follow these steps and proceed to Action 4:
   1. Immediately disconnect Microsoft Exchange on-premises servers.
   2. Until such time as CISA directs these entities to rebuild the Microsoft Exchange Server operating system and reinstall the software package, agencies are prohibited from (re)joining the Microsoft Exchange Server to the enterprise domain.
   3. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
   4. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available.

4. Immediately report as an incident to CISA the existence of any of the following:
   1. Identification of indicators of compromise as outlined in CISA Activity Alert.
   2. Presence of web shell code on a compromised Microsoft Exchange on-premises server.
   3. Unauthorized access to or use of accounts.
   4. Evidence of lateral movement by malicious actors with access to compromised systems.
   5. Other indicators of unauthorized access or compromise.
   6. Other indicators related to this issue to be shared by CISA in the Activity Alert.
5. All agencies shall submit a report to CISA using the reporting template provided below by noon Eastern Standard Time on Friday, March 5, 2021. Department-level Chief Information Officers (CIOs) or equivalents must submit this report attesting agency status to CISA.

These Required Actions apply to agencies operating Microsoft Exchange Servers in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

CISA Actions

• CISA will continue to work with our partners to monitor for active exploitation associated with these vulnerabilities.
• CISA will release additional indicators of compromise as they become available.
• CISA will provide technical assistance to agencies without internal capabilities to comply with this directive.
• CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov).
• By April 5, 2021, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying cross-agency status and outstanding issues.

Duration

This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action.

Additional Information

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of potential compromise – Central@cisa.dhs.gov

Supplemental Direction V2

April 13, 2021

Background

This document provides supplemental direction on the implementation of CISA Emergency Directive (ED) 21-02, including additional forensic triage requirements, server hardening requirements, and reporting requirements for agencies hosting on-premises Microsoft Exchange products.

This supplemental direction is provided pursuant to ED 21-02¹. All other provisions specified in ED 21-02 remain in effect. The following requirements apply to all operational Microsoft Exchange servers hosted² by or on behalf of federal agencies that had been connected to the Internet (either directly or indirectly – i.e., connected to another device or network that is connected to the Internet) at any time since January 1, 2021.

Although federal agencies successfully responded to ED 21-02, which included initial efforts to forensically triage and rapidly update Microsoft Exchange servers hosted in the federal enterprise, CISA is directing additional actions to identify compromises that may remain undetected. Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening.

Required Actions

Forensic Triage

For all hosted Microsoft Exchange servers, agencies must take the following actions:

1. By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template.

   Weekly, for four weeks after the first scan, download and run the latest version of MSERT and only report to CISA findings that may indicate compromise, per incident reporting instructions below (unlike the initial reporting requirement for the first scan, negative results for these weekly recurring scans do not need to be reported).

   MSERT only scans when manually triggered and it is updated frequently. Agencies must download the latest version of this tool before each scan. Running MSERT in Full Scan mode may cause server resource utilization to peak. Accordingly, CISA recommends agencies run the tool during off-peak hours. The full scan is expected to take several hours. During the scan, files may present as possible matches, but only the final report is conclusive.

2. By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity. Report results to CISA using the reporting template provided below.

This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065. This script is intended to be run via an elevated Exchange Management Shell. If the script does not identify attacker activity, it outputs the message “Nothing suspicious detected.” If attacker activity is identified, the script reports the vulnerabilities for which it found evidence of use and collects logs that it stores in the specified output path in the Test-ProxyLogonLogs directory.

If agencies detect indications of compromise while conducting these activities (e.g., one of the tools returns positive result in the final report), this must be immediately reported as an incident through /report. Detailed tool results must be attached to the ticket.

Hardening Requirements

Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity. For all hosted Microsoft Exchange servers, agencies must implement the following hardening requirements by 12:00 pm Eastern Daylight Time on Monday, June 28, 2021.

1. Firewall – Microsoft Exchange servers must be provisioned with a firewall between the server and the internet. a. The firewall must enforce deny by default, allow by exception rules. b. To the maximum extent technically possible, RFC compliance must be enabled for allowed protocols on the firewall. c. Agencies must report and note the reason for any allowed protocol for which RFC compliance is not enabled.
2. Software Updates – All software installed on the server (including the operating system and server firmware) must have security and cumulative updates deployed within 48 hours of update availability.
3. Supported Versions – All software installed on servers that host Microsoft Exchange (including host OS and server firmware) must be supported by the manufacturer (i.e., must not be end of service or end of life such as Exchange 2007 & 2010).

4. Identity – Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors. For each instance of hosted Microsoft Exchange server, agencies must: a. Enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles. b. Review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins. c. Review sensitive roles such as Mailbox Import Export and Organization Management (e.g. using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell). d. Strictly adhere to the principle of least privilege. e. Ensure that no account on an Exchange server is a member of the Domain Admin group in Active Directory. f. Prevent the accounts that manage on-premises Exchange from having administrative permissions in any Microsoft Office 365 environment.

   In performing actions 4a through 4f, agencies should use tools such as BloodHound to understand the possible attack path that starts with a compromise of their Exchange infrastructure as the result of compromised Exchange permissions in Active Directory. BloodHound is an open-source tool for enumerating and visualizing a domain’s Active Directory devices, users actively signed into such devices, and resource allocation along with all associated permissions. Attackers use the same methods to discover and abuse weak permission configurations for privilege escalation by taking over other user accounts or adding themselves to groups with high privileges. Attackers leverage these weak privileges to enable a lateral movement path to their target privileges.

5. Security Operation Centers (SOC) – Agencies must configure logging to ensure that all logs from the host OS, Microsoft Exchange, and associated network logs are captured and stored for at least 180 days, where feasible, in a separate, centralized log aggregation capability and logs are made available to and are being actively monitored by the agency SOC.
6. Anti-malware protection – All Exchange servers must have anti-malware software installed and enabled, with signatures not older than 24 hours.
7. Agencies participating in the Continuous Diagnostics and Mitigation (CDM) program must validate that their on-premises Exchange servers are visible to CDM information security continuous monitoring capabilities, where possible.

Reporting Agency Status

For each agency, department-level Chief Information Officers (CIOs) or equivalents shall submit two additional status reports to CISA using the template provided below to CyberDirectives@cisa.dhs.gov.

By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021:

• Report to CISA the results of the tool scans (including when no attacker activity is found).

12:00 pm Eastern Daylight Time on Monday, June 28, 2021:

• Report to CISA the status of all hardening efforts. Agencies shall also report back to CISA if they are not capable of completing any of the hardening steps as defined along with rationale.

CISA recommends that agencies retain all results of forensic triage activities for at least six months.

If at any point, while conducting these activities, agencies detect any indications of compromise (e.g., one of the tools returns a positive result), this must be immediately reported as an incident through /report. Detailed tool results must be attached to the ticket.

Additional Information

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov
• Reporting indications of potential compromise – Central@cisa.dhs.gov

Supplemental Direction V1

March 31, 2021

Background

This document provides supplemental direction on the implementation of Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive (ED) 21-02, including additional requirements for updating Microsoft Exchange servers.

This supplemental direction is provided pursuant to ED 21-02, issued on March 3, and the first Supplemental Direction issued on March 31, 2021. All other provisions specified in ED 21-02 and the first Supplemental Direction remain in effect. The following requirements apply to all operational on-premises Microsoft Exchange servers hosted by or on behalf of federal agencies.

On April 13, 2021, Microsoft released a software update to mitigate significant vulnerabilities that affect on-premises Exchange Servers 2013, 2016, and 2019. An attacker could use these vulnerabilities to gain access and maintain persistence on the target host. These vulnerabilities are different from the ones disclosed and fixed in March 2021 – the security updates released in March 2021 will not remediate against these vulnerabilities. Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity.

Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.

CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.

Applying the update released on April 13 to Exchange servers is currently the only mitigation for these vulnerabilities (aside from removing affected servers from the network). CISA requires that agencies immediately apply the Microsoft April 2021 update to all affected Exchange Servers.

Required Actions

• Deploy Microsoft Updates. Before 12:01 am Friday, April 16, 2021, Eastern Daylight Time, agencies with on-premises Microsoft Exchange servers must deploy Microsoft updates from Tuesday, April 13, 2021, to all affected Microsoft Exchange servers. Microsoft Exchange Servers that cannot be updated within the deadline above must be immediately removed from agency networks.
• Apply/Maintain Controls. Ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected endpoints are updated before connecting to agency networks.
• Report Completion. For agencies managing on-premises Microsoft Exchange servers, department-level Chief Information Officers (CIOs) or equivalents shall submit a report to CISA using the template provided below to CyberDirectives@cisa.dhs.gov by Noon Eastern Daylight Time on Friday, April 16, 2021.

• Report Indications of Compromise. Immediately report any identified cyber incidents and related indications of compromise detected while conducting update activities through Report to CISA.

Duration

This direction remains in effect until replaced by a subsequent directive or terminated through other appropriate action.

Additional Information

• General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov

Footnotes for Supplemental Guidance v1

1. On March 3, 2021, CISA issued ED 21-02 to mitigate on premises Exchange server vulnerabilities. 
2. The term ‘hosted servers’ is used to denote any instance of Microsoft Exchange servers hosted by or on behalf of federal agencies on agency or third-party premises, excluding any instances of Microsoft Office 365.