Image source: David Mark / Pixabay
By Joseph Menn
WASHINGTON (Reuters) – The top cybersecurity official in the White House on Tuesday directed all government agencies to urgently apply new patches for Microsoft Corp Exchange email servers to head off exploitation by hackers.
The rare directive applies to software fixes for four flaws discovered by the U.S. National Security Agency and reported to Microsoft.
“We recognize when vulnerabilities may pose such a systemic risk that they require expedited disclosure,” Deputy National Security Advisor for Cyber & Emerging Technologies Anne Neuberger said in a statement.
Microsoft said it had not seen the problems being exploited so far, but hackers will study the new patches to see what they are fixing, then deploy attacks against unpatched machines.
The new flaws come on top of those used in a flood of attacks earlier this year that compromised more than 20,000 U.S. on-premises Exchange servers handling web versions of Outlook mail.
Though the vast majority of those vulnerable to the previous round of attacks have now patched their systems, Justice Department officials said Tuesday they had won court permission to gain access to privately owned servers and remove the web shells left by some of the hackers for future remote access.
That sort of active engagement by U.S. officials is expected to accelerate with this week’s nominations of NSA veterans to other national cyber security posts, including a head of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
Reporting by Joseph Menn and Chris Sanders; Editing by Chris Reese and Grant McCool.