Update as : FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
U.S. Department of Health & Human Services - Office for Civil Rights (OCR) is sharing the following Updated Alert on Mitigating Microsoft Exchange Vulnerabilities from the Cybersecurity and Infrastructure Security Agency (CISA) to assist HIPAA covered entities and their business associates in addressing serious threats to Microsoft Exchange servers. Organizations are encouraged to review the information below and take appropriate action.
- Read the alert message and resources provided.
- Read CISA’s Remediating Microsoft Exchange Vulnerabilities webpage. (Click here to directly access Microsoft Exchange Server updates).
- Remediate according to CISA’s recommendations as soon as possible.
CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020. CISA has updated the Alert on the Microsoft Exchange server vulnerabilities with additional detailed mitigations.
CISA encourages administrators to review the updated Alert and the Microsoft Security Update and apply the necessary updates as soon as possible or disconnect vulnerable Exchange servers from the internet until the necessary patch is made available.
In a prior cybersecurity newsletter, OCR provided information on zero-day vulnerabilities.
- CISA Alert (AA21-062A)
- CISA Update to Alert on Mitigating Microsoft Exchange Server Vulnerabilities
- CISA Free Cyber Hygiene Services
- Department of Homeland Security DHS Emergency Directive 21-02
- FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
- Health Sector Council Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
- LAMMICO article - "No Longer Just 'the IT Guy’s' Problem: Cyber Safety is Patient Safety"
- Microsoft Security Response Center - Multiple Security Updates Released for Exchange Server – updated March 5, 2021