TECHNOLOGY SECURITY ALERT – Threat Actors Exploiting On-Premises Microsoft Exchange Vulnerabilities (EA ID: GENERAL-21-16)

Author
Federal Student Aid
Subject
TECHNOLOGY SECURITY ALERT – Threat Actors Exploiting On-Premises Microsoft Exchange Vulnerabilities (EA ID: GENERAL-21-16)

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have reports of malicious cyber actors using zero-day exploits to gain access to on-premises Microsoft Exchange servers of U.S. entities as early as January 2021. Threat actors can steal credentials and mailbox data that store and transmit sensitive information such as financial and personally identifiable information (PII).

The critical vulnerabilities impact on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Please refer to the following vulnerabilities for more details:

Why schools are vulnerable to this attack: Schools are an attractive target for cyber criminals as schools could potentially have the vulnerable versions of Microsoft Exchange running in their environment. Threat actors can exploit this vulnerability in a variety of ways to include compromising school networks, steal information, encrypt data for ransom, or even execute a destructive attack.

How to protect your institution: Federal Student Aid (FSA) strongly encourages each school to strengthen its cybersecurity posture by taking the following actions:

  1. If you have the capability, follow the guidance within CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.

  2. Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities. Note: Responding to IOCs is essential to purge an adversary from your network and is a separate action from securing the Microsoft Exchange environment.

  3. Immediately update all instances of on-premises Microsoft Exchange that you are hosting. Please review the available releases of Microsoft Exchange Server Patches and continue to check Microsoft resources for new updates.

  4. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: These mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.

  5. If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.

Further details on what your institution can do to protect itself are available on the CISA information page on Remediating Microsoft Exchange Vulnerabilities, located at https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities.

If you believe your institution has been targeted or breached, report the incident immediately to CPSSAIG@ed.gov and FSASchoolCyberSafety@ed.gov. Include the following:

  • Name of the institution

  • OPEID – School Code

  • Date the incident occurred (if known)

  • Date the incident was discovered

  • Technical details of the incident

  • Extent of the impact

  • Remediation status (what has been done since discovery)

  • Institution points of contact

Thank you for your attention to this matter. We are committed to working with schools to combat cybersecurity attacks and protect student financial aid information. If you have any questions about the information included in this announcement, please contact FSASchoolCyberSafety@ed.gov.

Important Informational Links:

FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server

Microsoft Security: Hafnium Targeting Exchange Servers

Department of Education’s recommendation for cybersecurity best practices: Data Security: K-12 and Higher Education