State-sponsored hackers was exploiting bug in Microsoft Exchange servers. Read on to know more…
On February 11, 2020, Microsoft had released cumulative security updates for multiple vulnerabilities found in its products. One of these included a fix for a remote code vulnerability that existed in the Exchange Control Panel Panel (ECP) and affected Microsoft Exchange email servers 2010, 2013, 2016, and 2019.
Although a patch to address the flaw has been released, there seems to be a large number of Microsoft Exchange servers that are still to be patched. However, threat actors have started seeing this as an opportunity to conduct malicious activities.
The exploitation attempts were first spotted by a London-based cyber security firm, Volexity, that saw this vulnerability -CVE-2020-0688 -exploited in the wild by advanced persistent threat (APT) actors. The vulnerability was discovered by an anonymous security researcher and reported to Microsoft by way of Trend Micro’s Zero Day Initiative.
According to the latest report, several state-sponsored hacking groups was exploiting a recently-fixed vulnerability in Microsoft Exchange email servers. “Two weeks after the security updates were released, the Zero Day Initiative published a blog post providing more details on the vulnerability. The post made it clear that an attacker could exploit a vulnerable Exchange server if the three criteria are not met,” said the Volexity Threat Research team.
“The Exchange Server had not been patched since February 11, 2020; The Exchange Control Panel (ECP) interface was accessible to the attacker and the attacker has a working credential that allows them to access the Exchange Control Panel in order to collect the ViewState Key,” the security researchers noted.
Volexity has observed multiple APT actors exploiting or attempting to exploit on the servers. In some cases, the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Several organisations employed two-factor authentication (2FA) to secure their VPN, e-mail, etc., limiting what an attacker can do with a compromised password.
“This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account,” said security researchers. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA.
According to researchers from Volexity, government-backed hacker groups are actively scanning the internet for Microsoft Exchange servers that are vulnerable to a remote code execution flaw tracked as CVE-2020-0688. This security flaw gives attackers the ability to access sensitive data related to an organization.
In recent attacks, Volexity observed the Exchange ECP vulnerability allowed attackers to:
• Run system commands to conduct reconnaissance.
• Deploy webshell backdoor accessible via OWA.
• Execute in-memory post-exploitation frameworks.
Exploiting vulnerabilities in unpatched servers is not new. In 2019, attackers had widely exploited two well-known vulnerabilities in the Oracle WebLogic server (CVE-2019-2725) and Atlassian Confluence server (CVE-2019-3396) to launch attacks. The vulnerabilities were exploited in large to deploy ransomware and other malware. Therefore, it is very necessary to patch the vulnerabilities with security updates as soon as possible.