Joint Cyber Advisory TLP White: Compromise of Microsoft Exchange Server

March 10, 2021

At a Glance


This Advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of vulnerabilities in Microsoft Exchange on-premises products. The FBI and CISA assess that nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities. The exploitation of Microsoft Exchange on-premises products poses a serious risk to Federal Civilian Executive Branch agencies and private companies. Successful exploitation of these vulnerabilities allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. It has the potential to affect tens of thousands of systems in the United States and provides adversaries with access to networks containing valuable research, technology, personally identifiable information (PII), and other sensitive information from entities in multiple U.S. sectors. FBI and CISA assess that adversaries will continue to exploit this vulnerability to compromise networks and steal information, encrypt data for ransom, or even execute a destructive attack. Adversaries may also sell access to compromised networks on the dark web.

On March 2, 2021, Microsoft and Volexity announced the detection of multiple zero-day exploits used to target vulnerabilities in on-premises versions of Microsoft Exchange Servers. In light of this public announcement, FBI and CISA assess that other capable cyber actors are attempting to exploit these vulnerabilities before victims implement the Microsoft updates.

The FBI and CISA have reports of malicious cyber actors using zero-day exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to gain access [T1190] to on-premises Microsoft Exchange servers of U.S. entities as early as January 2021. Various Tactics, Techniques, and Procedures (TTPs) have been identified, but the actor(s) frequently appeared to be writing webshells [T1505.003] to disk for initial persistence, conducting further operations to dump user credentials [T1003], adding/deleting user accounts as needed [T1136], stealing copies of the Active Directory database (NTDS.dit) [T1003.003], and moving laterally to other systems and environments. The actors appear to be collecting [T1114], compressing [T1560.001], and exfiltrating mailbox data. This information has been shared with multiple U.S. government (USG) agencies and partners.

The FBI is proactively investigating this malicious cyber activity, leveraging specially trained cyber squads in each of its 56 field offices, and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims while working to unmask—and hold accountable—those conducting cyber activities.

See the CISA Remediating Microsoft Exchange Vulnerabilities web page for both executive- and technical-level guidance. Additionally, refer to the following CISA Alert for full technical details that address the four vulnerabilities in Microsoft Exchange Servers and associated IOCs.

Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities

View the entire report




Related Resources

AHA Center for Health Innovation Market Scan
Health care is under attack as never before from cybercriminals, and the stakes are rising for hospitals and patient safety. The latest potential threat: The…
Advancing Health Podcast
Over the past few years every leader of health care organization in the country has had to acknowledge the threat of a cyberattack that has the potential to…
Advancing Health Podcast
In this special Cybersecurity podcast we have the opportunity to talk to leaders of an AHA member hospital who was a victim of a major ransomware attack in the…
AHA letter to Senators Jack Rosen and Bill Cassidy, M.D. voicing support of the Healthcare Cybersecurity Act (S.3904).
President Biden today urged an immediate hardening of private-sector cyber defenses “based on evolving intelligence that the Russian Government is exploring…
Special Bulletin
The Senate last night passed a $1.5 trillion omnibus appropriations bill that would fund the federal government through the end of the current fiscal year.