Attackers that successfully exploit the most severe of these vulnerabilities could execute arbitrary code in the mail server and potentially view, change, or delete data, according to the Multi-State Information Sharing and Analysis Center. Microsoft is attributing the attacks to HAFNIUM, a Chinese state-sponsored group.
DIR recommends that security teams assess whether or not the vulnerabilities are being exploited by using the Indicators of Compromise, which can be found at https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.
"Anyone using on-premise Microsoft Exchange Servers 2013, 2016 or 2019 should immediately apply the patches that Microsoft has released to protect against this attack," Texas' Chief Information Security Officer Nancy Rainosek said. "The Office of the Chief Information Security Officer (OCISO) and DIR will continue to provide information through the Texas Information Sharing and Analysis Organization (ISAO) and are working with federal and state partners to assess the situation as it develops. "