White House warns organizations have ‘hours, not days’ to fix vulnerabilities as Microsoft Exchange attacks increase

The Biden administration warned Friday that organizations face enormous risks from the recently disclosed Microsoft Exchange vulnerabilities that have affected thousands of private organizations.

As attacks leveraging the vulnerabilities have escalated, the window for updating exposed servers is incredibly short — “measured in hours, not days,” a senior administration official told reporters.

President Joe Biden was briefed on the Exchange hacks earlier this week, the official said.

“He was very engaged on this topic, he asked a lot of questions on this topic and made clear that he directed that we address cybersecurity vulnerabilities and that we take on this topic with seriousness of purpose,” the official told reporters.

For the first time, the US government has invited members of the private sector to participate in the multi-agency task force established in reaction to the server software flaws, the official said. Private entities will be given access to sensitive compartmented information facilities around the country in order to participate in classified discussions where necessary, the official added.

US intelligence agencies are not seeking any additional legal authorities to monitor for domestic cybersecurity incidents, the official added, as the Biden administration believes public-private partnership are the ideal model for detecting and mitigating cybersecurity threats.

The White House is not yet prepared to assign blame for the Microsoft Exchange attacks, national security adviser Jake Sullivan said earlier on Friday.

“I’m not in a position standing here today to provide attribution,” he said at a White House press briefing. “But I do pledge to you that we will be in a position to attribute that attack at some point in the near future, and we won’t hide the ball on that. We will come forward and say who we believe perpetrated the attack.”

Attacks on the rise

Attacks stemming from the Exchange software flaws are on the rise. On Thursday, Microsoft and security researchers warned that the vulnerabilities are now being combined with another potent cybersecurity threat: ransomware, which locks up a computer or a network’s files and holds them hostage until the victim pays a fee.

“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft said in a tweet.

Security experts at Palo Alto Networks estimated Thursday that at least 20,000 US-based Exchange servers remain unpatched and vulnerable to exploitation, and as many as 80,000 around the globe.

Other security researchers say the pace of attacks against Exchange servers is rising as opportunistic hackers seek to take advantage of the opening found by Hafnium, the group Microsoft has said is responsible for the original breaches and is “assessed to be state-sponsored and operating out of China.”

The number of attempted attacks against organizations has been doubling every two to three hours, according to Check Point Research, which monitors the internet for malicious activity.

The addition of ransomware to the volatile mix only increases the danger for vulnerable organizations, said John Hultquist, VP of analysis at Mandiant Threat Intelligence.

“Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails,” Hultquist said. “Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted.”

Administration planning to respond

On Friday’s conference call with reporters, the senior administration official outlined several steps the Biden administration plans to take in response to the SolarWinds and Microsoft Exchange security incidents, but warned that a direct answer to the SolarWinds hackers is still weeks away.

The nine federal agencies that were compromised by the SolarWinds intrusion have undergone a four-week review with some still reviewing their systems to be sure that the foreign adversaries have been completely evicted, the official said. Those that haven’t finished their reviews are expected to be completed by the end of the month.

The official provided few specifics on a response to the perpetrators of the suspected Russian hackers behind the SolarWinds intrusions.

“You can expect further announcements on that in weeks, not months,” the official said.

The administration’s internal review found “significant gaps in modernization and in technology of cybersecurity across the federal government,” the official said. “We will be rolling out technology to address those gaps we identified beginning with the nine compromised agencies” and then more broadly across the federal government.

Throughout the process, the White House has held regular meetings with deputy heads of the compromised agencies.

In a few weeks, the official said, the White House will roll out an executive action that includes ideas to bolster the nation’s cybersecurity, including proposals to assign letter-grade cybersecurity ratings to software vendors used by the federal government. The idea draws inspiration from Mayor Michael Bloomberg’s sanitation grades for restaurants. Another concept draws on Singapore’s cybersecurity standards for internet-connected consumer devices. The objective, the official said, is to create a “market” for cybersecurity where companies would compete for high security ratings.