CISA orders agencies to fix Microsoft vulnerabilities abused by Chinese hackers

CISA has ordered US federal civilian agencies to tackle Microsoft flaws suspected to be involved in a Chinese spying campaign. Agencies must act by the end of the week.

The order requires agencies to either apply security fixes for the Microsoft Exchange Server software’s vulnerabilities or disconnect the program until they can reconfigure it securely if the system is compromised.

The US agency's Emergency Directive 21-02, "Mitigate Microsoft Exchange On-Premises Product Vulnerabilities," was issued yesterday.

It said that its partners had “observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products”.

"Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network," the agency said.

It added that the vulnerabilities present an "unacceptable risk to Federal Civilian Executive Branch agencies.

Agencies will have to forensically triage artifacts using collection tools to collect system memory, system web logs, windows event logs, and all registry hives. If agencies find no indications of compromise, they must immediately apply Microsoft patches for Microsoft Exchange servers.

"This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action," the agency added.

Microsoft’s disclosure of significant Exchange Server software vulnerabilities brings to the fore certain challenges and themes seen simmering under the surface for a long time in national cyber security.

Steve Forbes, government cyber security expert at Nominet said there’s a tendency to treat cyber security issues between the private and public sectors as separate siloes.

“However, these vulnerabilities demonstrate how flawed that view is. Not only are governments susceptible to software vulnerabilities like any business, but they also face the debate of how extensively to use cloud providers. While historically there has been a perception that it is more secure and robust to run your own infrastructure, this is a good example of where the opposite is true,” Forbes said.

Forbes said CISA’s directive is the latest in a series of increasingly regular emergency directives the agency has issued since its establishment two years ago.

“Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications,” he said.