A vulnerability in Microsoft Exchange servers is being exploited by multiple threat groups which if left unpatched would allow attackers to execute code remotely with system privileges.
The vulnerability which has been dubbed as CVE-2020-0688 exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. It was fixed in Microsoft’s February Patch Tuesday updates, but the researchers stated that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
According to the researchers the attacks first started in late February and the attackers leverage the flaw to run system commands to conduct reconnaissance, deploy web shell backdoors and execute in-memory frameworks post-exploitation.
Microsoft patched the flaw in February with the Zero Day Initiative (ZDI), which first reported the vulnerability, its details and how it could be exploited.
The vulnerability exists in the Exchange Control Panel (ECP), a web-based management interface for administrators, introduced in Exchange Server 2010. To be specific all installations in the configuration of ECP have the same cryptographic key value, instead of having randomly generated cryptographic keys on a per-installation basis. These cryptographic keys provide security for ViewState (a server-side data that ASP.NET web applications store in serialized format on the client).
It is possible for an attacker to exploit a vulnerable Exchange server if it was unpatched before Feb. 11, 2020, if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.
When the technical details of the flaw were disclosed, it was found that multiple APT groups were trying to perform brute force attack by leveraging Exchange Web Services (EWS).
Brute-forcing credentials is a common practice but the frequency and intensity of attacks at certain organizations has increased rapidly after the disclosure of the vulnerability.
These attempts are believed to be from APT groups due to the overlap of their IP addresses from other, previous attacks. Also, the credentials used were linked to previous breaches by the APT groups.
There are chances that there could be hundreds of organizations being hit with this exploit in the future.
All the organizations are highly recommended to ensure that they are up to date on security updates from Microsoft and also has access control list (ACL) restrictions on the ECP virtual directory or via any web application firewall capability.
The staffs must be asked to discard their old passwords and create new ones and must also ask them to update passwords regularly.