State-backed hacking groups are exploiting a security flaw to target Microsoft Exchange email servers
Researchers at cyber security firm Volexity say that they have detected multiple state-sponsored hacking groups exploiting a recently-patched security flaw to target Microsoft Exchange email servers.
According to researchers, this remote code execution vulnerability, indexed as CVE-2020-0688, enables attackers to get access to “significant assets” within an organisation by using simple user credential or old service account.
The security vulnerability was uncovered by an anonymous security researcher, who reported it to Microsoft via Trend Micro’s Zero Day Initiative. Microsoft eventually patched the bug last month in its February 2020 Patch Tuesday security update.
According to the company, the flaw impacts Microsoft Exchange Server when it fails to properly create unique keys at install time.
“Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialised by the web application, which runs as SYSTEM,” Microsoft said.
“The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”
In February, Zero-Day Initiative published a technical report on CVE-2020-0688 providing details on the vulnerability. But, from the next day, hackers started scanning the internet to discover vulnerable Exchange servers that they could target at a later date.
According to Volexity researchers, hackers have now started launching actual attacks on such vulnerable servers. State-sponsored hacker groups were the first one to weaponise the bug, although other hacking groups, including ransomware gangs, are also expected to target vulnerable servers in coming days.
CVE-2020-0688 is a post-authentication vulnerability, meaning that hackers will need to have compromised credential for an email account on that Exchange server and also log in to that account to execute a malicious payload and take over the victim’s email server.
So far, the attackers have been observed exploiting the flaw to execute systems commands to carry out reconnaissance and deploying webshell backdoor accessible via OWA. They have also been trying to run in-memory post-exploitation frameworks on vulnerable servers and to brute force their way to exploitation via Exchange Web Services.
Many organisations use two-factor authentication (2FA) to secure their VPN and e-mails from attacks, thereby limiting what a hacker can do with compromised credentials.
“The most obvious way to address this vulnerability is to apply the security updates made available from Microsoft on February 11, 2020,” Volexity’s researchers stated in their report.
“Volexity also strongly recommends that organizations continue to expire passwords and require users to update passwords periodically,” they added.