The New York Department of Financial Services’ (DFS) Cybersecurity Division issued a March 9 letter to regulated entities regarding the recent Microsoft Exchange breach in which thousands of organizations were compromised via vulnerabilities in the Microsoft Exchange servers.
On March 2, 2021, Microsoft reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later. The company made patches available for these vulnerabilities, but many organizations were compromised either before the patches were available or before they were applied, according to DFS.
This comes as Reuters reported on March 7 that more than 20,000 U.S. organizations had been compromised through a back door installed via recently patched flaws in Microsoft Corp.’s email software, according to a person familiar with the U.S. government’s response.
As of early March, the hacking had already reached more places than all of the tainted code downloaded from SolarWinds Corp, Reuters went on to report, with records showing that tens of thousands of organizations in Asia and Europe were also affected.
DFS in its letter urged all regulated entities with vulnerable Microsoft Exchange services to act immediately to patch or disconnect vulnerable servers and use the tools provided by Microsoft to identify and remediate any compromise exploiting these vulnerabilities.
“Regulated entities should immediately assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact,” DFS’ letter stated, adding that this assessment should identify internal use of vulnerable Microsoft Exchange products and any use of these products by third parties. “Regulated entities should also continue to track developments in this compromise and respond quickly to new information.”
New York’s cyber regulation requires that regulated entities report cybersecurity events within 72 hours at the latest.
Related:
- Ransom-Seeking Hackers Are Exploiting Flaws in Microsoft Email Software
- Microsoft Flaw Exposes as Many as 60,000 Computer Systems in Germany
- Hacked Firms Face ‘Frankenstein’ of State-Based Cyber Notification Laws
- China’s Microsoft Hack, Russia’s SolarWinds Attack Threaten to Overwhelm U.S.
Topics New York
Was this article valuable?
Here are more articles you may enjoy.
Allstate Reports $731M in Q1 Pretax Catastrophe Losses 
FBI Says Chinese Hackers Preparing to Attack US Infrastructure 
AIG General Insurance Chairman McElroy to Retire May 1 
Why New York’s Attorney General Objects to Trump’s Bond Insurer 
