The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) today issued an emergency directive calling for civilian federal agencies with on-premises Microsoft Exchange Servers to either update their software with newly released Microsoft patches or take the products offline until they can patch them.
ED-21-02 also calls for agencies to gather forensic images and, after patching, to look for known indicators of compromise in the wake of Microsoft's revelation that four zero-day flaws in Exchange are being abused by a nation-state group believed to be out of China. CISA also published technical details and indicators of compromise today.
"This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders," said Acting CISA Director Brandon Wales. "The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it."
CISA said it worked with the National Security Agency, Microsoft, and security researchers to provide detection and mitigation steps for the threats.