Multiple nation-state groups are hacking Microsoft Exchange servers

mood · Mar 8, 2020

Multiple nation-state groups are hacking Microsoft Exchange servers
Government-backed groups are exploiting CVE-2020-0688 to take over Exchange email servers
March 9, 2020
https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/

Multiple government-backed hacking groups are exploiting a recently-patched vulnerability in Microsoft Exchange email servers.
The exploitation attempts were first spotted by UK cyber-security firm Volexity on Friday and confirmed today to ZDNet by a source in the DOD.
THE MICROSOFT EXCHANGE VULNERABILITY
The vulnerability is tracked under the identifier of CVE-2020-0688. Below is a summary of the vulnerability's technical details: [...]
Microsoft released patches for this bug on February 11, when it also warned sysadmins to install the fixes as soon as possible, anticipating future attacks.

Nothing happened for almost two weeks. Things escalated towards the end of the month, though, when the Zero-Day Initiative, who reported the bug to Microsoft, published a technical report detailing the bug and how it worked.
Click to expand...

At least three of these proof-of-concepts found their way on GitHub[1, 2, 3]. A Metasploit module soon followed.
Now, according to Volexity, the scans for Exchange servers have turned into actual attacks.

The first ones to weaponize this bug were APTs -- "advanced persistent threats," a term often used to describe state-sponsored hacker groups.
Click to expand...

Volexity: Microsoft Exchange Control Panel (ECP) Vulnerability CVE-2020-0688 Exploited

The latest Microsoft Exchange ECP vulnerability has provided attackers with another opportunity to break into organizations where they may previously have been unsuccessful. Staying current with patches is the best defense for an organization.
Click to expand...

mood · Mar 16, 2020

Organizations Slow to Patch Targeted Microsoft Exchange Vulnerability
March 16, 2020
https://www.securityweek.com/organizations-slow-patch-targeted-microsoft-exchange-vulnerability

Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft’s February 2020 Patch Day updates and already targeted in attacks.

The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019. An attacker could abuse it to trick the server into deserializing malicious ViewState data.
Last week, security researchers warned that attacks targeting vulnerable Exchange Servers started ramping up [...]

However, Kenna Security reveals that companies are, in fact, very slow in addressing the issue, although it could essentially lead to the compromise of their Active Directory.
Looking at the rate of open vs closed instances of the vulnerability, the security firm observed that remediation efforts are at less than 15% at the moment. [...] patching should be closer to 50%, Kenna Security says.
Click to expand...

mood · Apr 6, 2020

80% of all exposed Exchange servers still unpatched for critical flaw
April 6, 2020
https://www.bleepingcomputer.com/ne...ge-servers-still-unpatched-for-critical-flaw/

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.
82.5% of all found Exchange servers not yet patched
Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.
To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that "the related Microsoft update wasn’t always updating the build number."

Furthermore, "there are over 31,000 Exchange 2010 servers that have not been updated since 2012," as the Rapid7 researchers observed. "There are nearly 800 Exchange 2010 servers that have never been updated."
Patch against CVE-2020-0688 ASAP
"There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise," Rapid7 Labs senior manager Tom Sellers further explained.
Click to expand...

Rapid7: Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)

The image above is concerning not just because of the number of servers missing the update for CVE-2020-0688 but also because of how many other updates are also missing.
In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers.
Click to expand...

mood · Jun 24, 2020

Microsoft: Attackers increasingly exploit Exchange servers
June 24, 2020
https://www.bleepingcomputer.com/ne...ackers-increasingly-exploit-exchange-servers/

Microsoft's Defender ATP Research Team today issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.

The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.
Exploits increasingly used in Exchange attacks
While threat actors commonly use social engineering and drive-by downloads to steal organization employees' credentials to move through the network and, eventually, to get control of an Exchange server, Microsoft says that the attacks are also increasingly focused on exploiting unpatched Exchange servers.

When attempting to exploit Exchange vulnerabilities, "attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server," Microsoft explained.
Click to expand...

CVE-2020-0688 specifically targeted with exploits
Microsoft's researchers also said that following their investigation of recent Exchange attacks they saw a rise in attacks exploiting Exchange vulnerabilities, "specifically, attacks that exploit Exchange vulnerabilities like CVE-2020-0688."

"The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target."
Click to expand...

Microsoft: Defending Exchange servers under attack

If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.

This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions.
Click to expand...

mood · Sep 29, 2020

mood said: ↑

80% of all exposed Exchange servers still unpatched for critical flaw
April 6, 2020
https://www.bleepingcomputer.com/ne...ge-servers-still-unpatched-for-critical-flaw/

Rapid7: Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)
Click to expand...

Over 247K Exchange servers unpatched for actively exploited flaw
September 29, 2020
https://www.bleepingcomputer.com/ne...ervers-unpatched-for-actively-exploited-flaw/

More than 247,000 Microsoft Exchange servers are to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support.

The CVE-2020-0688 RCE flaw exists in the Exchange Control Panel (ECP) component — enabled in default configurations — and it enables potential attackers to remotely take over vulnerable Exchange servers using any valid email credentials.
Over 61% of servers vulnerable to exploitation not patched
In an update to a previous report on the number of exposed Exchange servers vulnerable to attacks attempting to exploit the CVE-2020-0688 vulnerability, Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

The company's researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers "have not been updated in six years."
Click to expand...

Patching Exchange servers against CVE-2020-0688
"There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise," Rapid7 Labs senior manager Tom Sellers explains.

As Microsoft said that there are no mitigation measures for the CVE-2020-0688 vulnerability, the only choice left is to patch servers before attackers find them and fully compromise the entire network they're on — unless admins have the time and are willing to reset all accounts' passwords to render previously stolen credentials worthless.
Click to expand...

Log in or Sign up

Multiple nation-state groups are hacking Microsoft Exchange servers

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Multiple nation-state groups are hacking Microsoft Exchange servers

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches