The National Security Agency (NSA) said Tuesday that it had alerted Microsoft to “a series of critical vulnerabilities” in the Microsoft Exchange email application, prompting the company to issue a new patch.
In a blog post, Microsoft said it had “not seen” the vulnerabilities used against its customers, but urged users to install timely updates.
“[G]iven recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats,” the company said, in a reference to an earlier disclosure, made in March, that suspected Chinese hackers had exploited different Exchange server flaws to spy on thousands of U.S. organizations.
Deputy national security adviser for Cyber and Emerging Technology Anne Neuberger, who has been leading the U.S. government’s response to both the prior Exchange hack and the SolarWinds cyber espionage campaign attributed to Russia, said in a statement that all federal agencies were being required to “immediately patch” their Exchange servers.
“Should these vulnerabilities evolve into a major incident, we will manage the incident in partnership with the private sector, building on the Unified Coordination Group processes” that were established to deal with the earlier Exchange hack, Neuberger said.
Lawmakers and private cybersecurity experts have been urging the administration to take swifter action to shore up the country’s cyber infrastructure and defenses. On Monday the Biden administration named two senior-level cyber officials – both NSA veterans – to new posts.
Former NSA Deputy Director Chris Inglis was nominated to serve as the country’s first national cyber director and Jen Easterly, a former intelligence officer at the NSA, to head the Cybersecurity and Infrastructure Security Agency, which is housed in the Department of Homeland Security.
Disclosing software flaws is a relatively new practice for the NSA, which in the past would collect and keep secret vulnerabilities for its own use in intelligence gathering. But in January 2020, the agency identified a critical vulnerability in Microsoft Windows 10; it said at the time that its disclosure was an effort to “build trust” with its partners and the public.
“NSA values partnership in the cybersecurity community,” an NSA spokesperson said Tuesday. “We are continuing the partnership by urging application of the patches immediately.”
Rob Joyce, who recently replaced Neuberger as the director of the NSA’s Cybersecurity Directorate, likewise urged entities using the Exchange application to patch as soon as possible.
“Cybersecurity is national security,” Joyce said. “Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors.”
“Don’t give them the opportunity to exploit this vulnerability on your system,” he said.