Advertisement

Thousands of Exchange servers breached prior to patching, CISA boss says

“Patching is not sufficient,” Brandon Wales said.
Brandon Wales, DHS, CISA
Brandon Wales testifies Dec. 2, 2020, before a Senate Homeland Security and Governmental Affairs Subcommittee. (Benjamin Freed / Scoop News Group)

A U.S. government cybersecurity official on Monday warned organizations not to have a false sense of security when it comes to vulnerabilities in Microsoft Exchange Server software, noting that “thousands” of computer servers with updated software had already been breached.

“Patching is not sufficient,” said Brandon Wales, acting head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). “There are literally thousands of compromised servers that are currently patched. And these system owners, they believe they are protected.”

“We’re seeing improvements there, but more work needs to be done,” Wales said at an event hosted by Auburn University’s McCrary Institute. “The vulnerabilities can be scriptable, allowing automation exploitation, and that’s just a risk that’s unacceptable.”

Everyone from suspected Chinese spies to ransomware gangs have in the last month moved to exploit the flaws in Exchange Server, a popular email software. At least one of the bugs could allow an attacker to steal the entire contents of email inboxes. U.S. local government organizations and small businesses, which generally lack security resources, are among the most exposed organizations.

Advertisement

Microsoft has released a free tool to detect and mitigate compromises, and CISA has ordered all federal civilian agencies to address the issue.

That sense of urgency has led to progress: Overall, the number of vulnerable systems fell 45% last week to less than 10,000 in the U.S., the White House said Monday.

Wales made it clear, though, that investigating the compromises remains a pressing issue. He called on organizations that find malicious Exchange Server-related activity on their networks to “take aggressive action to remediate”  the problem, or to ask for outside help. “You can be used to attack third parties or you can yourself be disrupted,” Wales warned, citing the risk of ransomware.

The malicious activity amounts to the second major set of cyber incidents facing the Biden administration, which is already coping with a suspected Russian hacking campaign that has exploited software made by federal contractor SolarWinds and other vendors.

CISA officials told lawmakers March 10 that CISA had yet to find any signs that federal civilian agencies had been breached in the Exchange Server activity.

Advertisement

Wales said Monday that CISA’s investigation into the matter is ongoing.

“We’re actually still working with a couple of federal agencies … to review their network traffic and identify whether there were any compromises,” Wales said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts