ATTENTION ONLINE CREDIT UNIONS
CU*Answers has received inquiries from clients regarding the Exchange server vulnerability reported by Microsoft on March 2. Questions include the risk this issue presents across the cooperative, CU*Answers steps in mitigating the problem, and our response to our own critical vendors.
CU*Answers Network Managed Clients. The CU*Answers Network Services Team has applied patches to all clients who may be affected by this vulnerability. In addition, our team has deployed tools to monitor for any evidence of a security breach to a managed client Exchange server. CU*Answers Network Services will reach out to you directly if there is evidence of a security breach to your Exchange server. If our team does not reach out to you directly, we have not found evidence of a security compromise to your Exchange server. CU*Answers is aware this is an ongoing situation and will continue to review and adjust our tools as new information is released by Microsoft. Microsoft has indicated that email hosted in Office 365 is not vulnerable to this attack.
Unmanaged Clients. If you have Exchange servers and are not managed by CU*Answers, we recommend you research the vulnerability and deploy critical patches and review the server for known indicators of compromise in accordance with Microsoft instructions and your own Incident Management plan.
CU*Answers Own Internal Network. CU*Answers uses Exchange servers for its own internal email. Upon learning of the announcement by Microsoft, CU*Answers patched its own servers, and used Microsoft tools to scan for vulnerabilities. Our team found no evidence CU*Answers’ internal systems were compromised. CU*Answers continues to review its own internal systems for any evidence of a security breach.
Critical Vendors. The AuditLink Team at CU*Answers is in the process of requesting a response from our critical vendors regarding the Exchange server vulnerability. Should CU*Answers learn a third-party vendor is affected, CU*Answers will respond in accordance with its contractual obligations to clients, any applicable laws, and its own internal Information Security Program.
This incident has had significant impact across the United States, with some estimates concluding over 30,000 business are affected in the United States alone. CU*Answers will continue to remain vigilant regarding any new information or updates as this situation continues to unfold.
Information on the vulnerability and Microsoft’s response can be found here:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/