Federal agencies have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) yesterday to look for signs of compromised Exchange servers in their networks. Agencies must run the Test-ProxyLogon.ps1 script and Microsoft Safety Scanner tool released by Microsoft, reporting any findings by Monday, April 5th. This is an update to Directive 21-02 issued earlier in early March, urging agencies to assess whether their Exchange servers had been compromised and to immediately apply patches to clean systems and disconnecting those that had been infected. The emergency directive also lays out a June 28th deadline for hardening Exchange severs. Several items for doing so are outlined, including ensuring a firewall sits between the Exchange server and the Internet, ensuring all security and cumulative updates are applied within 48 hours, removing all unsupported or outdated software and more.
Analyst Notes
Many of the steps listed in the hardening requirements section of Directive 21-02 apply to any organization and any type of server or service. Binary Defense highly suggests following these steps to secure Exchange servers within the enterprise. The tools released by Microsoft will also assist administrators in assessing Exchange servers for signs of compromise. Any servers found to be compromised should be immediately removed from the network for further investigation and re-imaging.
Source: https://www.bleepingcomputer.com/news/security/cisa-gives-federal-agencies-5-days-to-find-hacked-exchange-servers/
