Cyber Alert! CISA Issues Emergency Directive for Microsoft Exchange Vulnerabilities

March 10, 2021
Cyber-Alert-Blog

Coming off quite a busy year of cyber attacks and hacking incidents, if there’s anyone who’s deserving of a nice long permanent vacation in 2021 – it’s online thieves. However, with the latest cyber alert hitting our inboxes late last week, it’s looking like there are “no days off” for those with malicious intent. 

The continuation of threat actors’ dirty work was confirmed in the Emergency Directive issued by the Office for Civil Rights (OCR) and the Cybersecurity and Infrastructure Security Agency (CISA) on March 3. The warning comes in response to several targeted attacks by a group named HAFNIUM who has gained access to organizations’ files, mailboxes, and credentials by using open source tools to search for vulnerabilities in Microsoft Exchange Servers. 

So what does this mean for you? 

Microsoft has identified 4 different ‘zero-day’ vulnerabilities exploited in the attacks. This is basically just a fancy word for when a cyber actor takes advantage of previously unknown hardware, firmware, or software vulnerability (picture a hacker finding a shortcut into your network that you didn’t even know existed). These exploits are more difficult to mitigate than standard hacking attacks and something that the OCR categorizes as “one of the most dangerous tools in a hacker’s arsenal.”

Knowing that HAFNIUMS latest work ranks pretty high on the OCR’s “danger scale” might be a bit unsettling, but following the guidance provided by CISA and Microsoft should give your practice some peace of mind:

  • First, examine your systems for any signs of compromise dating all back to September 1, 2020. Microsoft provided a tool to detect any exploitations which can be found here.
  • If any malicious activity is suspected, your practice should follow incident response procedures and submit a report through the security response portal
  • If no activity is found, apply available patches immediately which can be found in Microsoft’s Security Updates.

While it might seem like a simple three step process, we don’t expect you to add ‘IT expert’ to your job description. For most independent practices, determining signs of compromise and implementing patches is a lot easier said than done. So, to ensure that all the necessary steps have been taken (along with some weight off your shoulders) we highly recommend consulting with your IT professional on addressing these potential technical vulnerabilities.

There can also be an added bonus by implementing the correct technical safeguards. Recently, the HIPAA Safe Harbor Law was enacted, providing financial incentives for covered entities who comply with NIST and HIPAA standards. By taking the time to ensure your organization is following cybersecurity best practices, your practice can send hackers on an all-expenses paid vacation to cyber-actor purgatory. Ahhhh, doesn’t that sound relaxing??