In testimony before the Homeland Security Subcommittee, Eric Goldstein, CISA’s executive assistant director for cybersecurity stated, “At this point in time there are no federal civilian agencies that are confirmed to be compromised by this campaign”, according to a news report published by BleepingComputer. CISA has also stated that they are still in the beginning of their investigation, so that statement is subject to change. US federal government agencies were ordered to immediately patch or disconnect Exchange servers from the Internet last week. Many private companies have apparently not taken the vulnerabilities as seriously, though—the Dutch Institute for Vulnerability Disclosure announced that it scanned the Internet and found 46,000 Exchange serves still unpatched. Threat groups have been scanning for vulnerable Exchange servers and many of them have likely found the same or similar number of servers. As exploit code has become more publicly available, more vulnerable servers will be hacked and likely held for ransom.
Due to the mass exploitation performed by several APT groups, the ProxyLogon vulns should be treated as highest priority for patching. Additionally, Microsoft has released several tools and queries to both detect and mitigate the vulnerabilities (https://github.com/microsoft/CSS-Exchange/tree/main/Security). Binary Defense recommends using the scripts in that repository to identify any unknown infections that may have sprung up from exploit usage. Additionally, Binary Defense recommends employing a 24/7 SOC as a service, such as Binary Defense’s own Security Operations Task Force.