Statement on Active Exploitation of Microsoft Exchange Vulnerabilities

The Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security (Cyber Centre) issued an Alert on Active Exploitation of Microsoft Exchange Vulnerabilities and strongly recommends that organizations prioritize external facing Exchange servers and immediately apply necessary updates. All affected external servers should have remote access temporarily disabled until patches can be applied. All additional affected Exchange servers should be patched following the completion of higher priority external servers.

CSE is aware of recent security updates published by Microsoft on March 2, 2021, addressing zero-day vulnerabilities that have reportedly been used in limited targeted compromises. Security researcher Volexity has reported that the activity appears to have started as early as January 6, 2021.

Cyber security is one of the most serious economic and national security challenges facing Canada and its allies. The Government of Canada, through the joint efforts of CSE and its Cyber Centre, as well as other departments and agencies, is working to create a safer and more secure cyber space for all.

The Government of Canada deals with ongoing and persistent cyber risks and threats every day. We work with government partners to ensure there ensure there are robust systems and tools in place to monitor, detect, and investigate potential threats, and to neutralize threats when they occur. Although we do have robust cyber defensive systems in place, the Cyber Centre is actively engaged with our government and non-government partners sharing cyber security advice and guidance, mitigation, and operational updates.

Guidance

To limit an initial compromise from occurring future hardening of systems can be accomplished through the restriction of untrusted connections by isolating Exchange servers from external facing connections or using a Virtual Private Network (VPN). Microsoft reports that using these mitigations will only protect against the initial portion of the compromise; other portions of the chain can be triggered if an actor already has access or can convince an administrator to run a malicious file.

Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca or by telephone (1-833-CYBER-88 or 1-833-292-3788).

We would also like to highlight the importance of applying cyber defence best practices, including increased monitoring of network logs, reminding employees to be alert to suspicious emails, using secure teleworking practices, and ensuring servers and critical systems are patched for all known security vulnerabilities.

The Cyber Centre will continue to issue alerts and cyber bulletins to our industry sector partners, including critical infrastructure, to raise awareness of threats like these. We count on our national, provincial, and regional partners across Canada to further share information of cyber security importance, in order to reach as many stakeholders as possible within the broad IT community.

We encourage all Canadians and Canadian organizations to follow the Cyber Centre’s alerts and advisories on Cyber.gc.ca, and to contact us or local law enforcement if they suspect they have been the victim of a cyber incident.

Date modified: