Dive Brief:

• The Biden administration is working to formalize private sector participation in national cybersecurity following the cyberattacks against SolarWinds and Microsoft Exchange Server. The administration's plans, which include private sector participation in a Unified Coordination Group under the National Security Council, are designed to make sure the nation is not caught off guard again by another attack, senior administration officials said during a Friday briefing.
• The administration is working to address some of the liability barriers and disincentives in order to encourage private sector companies to rapidly share threat information and other intelligence. Potential legal waivers were proposed during last month's congressional hearings on SolarWinds to encourage private sector firms to quickly share intelligence related to cyberattacks. 
• The administration is also working to develop a software ratings system on cybersecurity through executive action in the next few weeks. The system is based on prior efforts by former New York City Mayor Michael Bloomberg to address restaurant sanitation and an initiative in Singapore to rate the security of IoT devices.

Dive Insight:

Senior administration officials outlined several steps to help address some of the intelligence gaps exposed by the recent nation-state attacks that left thousands of U.S. companies open to attack and led to data compromises at least nine federal agencies. 

During the SolarWinds and Microsoft Exchange hacks, evidence has come forward showing threat actors staged attacks with the help of U.S. infrastructure, according to administration officials and testimony during the February congressional hearings. But the government lacked infrastructure visibility needed to prevent or immediately mitigate the attacks

Federal officials have been working closely with Microsoft and leading cybersecurity companies in recent weeks to coordinate efforts to mitigate widespread damage from the suspected nation-state attack on Exchange. The hack led to the injection of web shells and theft of emails and other data from tens of thousands of private companies, local government agencies, think tanks and other organizations in the U.S. and overseas. 

The senior officials warned that companies needed to take immediate steps to contain the damage from the Exchange Server hack, warning they were "measured in hours, not days" to patch exposed servers.

"We're not surprised to see ransomware gangs targeting these highly publicized vulnerabilities in Microsoft Exchange Server," said Ryan Olson, VP of threat intelligence for Unit 42 at Palo Alto Networks. "Cybercriminals are always quick to exploit new attack vectors, so we expect to see more types of malware in the coming days that attack unpatched servers."

Threat actors are racing to exploit vulnerable servers before they are patched. Palo Alto tracked a 30% drop in unpatched servers last week, falling from 125,000 to 80,000 between Monday and Thursday. 

Companies and other potential targets need to have human eyes and intelligence to truly determine to what extent they have been infected and then determine what steps must be taken to neutralize the attack, according to researchers from Sophos. 

Organizations should check server logs for evidence, and may find file remnants in the Exchange server, according to Mat Gangwer, senior director of Sophos Managed Threat Response. 

"If you have an endpoint detection and response product installed, you can also review logs and process command execution," he said via email. "If you find any anomalous or suspicious activity, you should determine your exposure, as this will allow you to decide what to do next."