As we alerted our readers last week, Microsoft announced that its Exchange email servers have been compromised, which is estimated to affect at least 30,000 companies based in the United States. It is reported that the hackers installed web shells (and sometimes multiple web shells) into Microsoft’s customers’ email servers, giving the hackers back doors into the victims’ email content. These web shells allow the attackers to have complete remote control over the victims’ emails and to access other information technology assets of the victims. This means they can access all the data contained in the emails and can plant malware or ransomware directly into a company’s system without having to use a phishing attack that would rely on an employee to introduce the malicious code into the system.

On March 2, 2021, Microsoft released four patches to respond to the vulnerabilities in Exchange Server versions 2013-2019, which we published last week. (insert blog here) On March 8, 2021, Microsoft issued a patch for older, unsupported versions of Microsoft Exchange servers “as a temporary measure to help you protect vulnerable machines right now.” On March 9, 2021 (Patch Tuesday), in addition to the previously-released patches mentioned above, Microsoft issued software updates to address 82 security flaws in various Microsoft products, including Internet Explorer.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert called “Remediating Microsoft Exchange Vulnerabilities” that warns companies that the “exploitation of these vulnerabilities is widespread and indiscriminate,” and therefore CISA “strongly advised all system owners complete the following steps:”

  1. If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
  2. Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
  3. Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
  4. If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
  5. If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in conjunction with measures to secure the Microsoft Exchange environment.

According to security experts, in addition to applying the patches issued by Microsoft and following the guidance from CISA, companies are urged to backup any data stored on company Exchange servers immediately, disconnect those from other servers, and store them offline.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.