The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency’s Twitter account.
NSA’s tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.
Microsoft patched this RCE security flaw as part of the February 2020 Patch Tuesday and tagged it with an “Exploitation More Likely” exploitability index assessment hinting at CVE-2020-0688 being an attractive target for attackers.
State-backed hackers already attacking Microsoft Exchange servers
The same day, researchers at security firm Volexity confirmed that exploitation of this security flaw has begun in late February, with several organizations already having had their networks compromised after state-backed advanced persistent threats (APT) groups exploited the CVE-2020-0688 flaw.
“Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability,” their report says.
“Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach.”
Active exploitation of Microsoft Exchange servers by APT actors via the ECP vulnerability CVE-2020-0688. Learn more about the attacks and how to protect your organization here: https://t.co/fwoKvHOLaV#dfir #threatintel #infosec pic.twitter.com/2pqe07rrkg
— Volexity (@Volexity) March 6, 2020
A U.S. Department of Defense (DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn’t name the groups or the countries behind them.
As BleepingComputer previously reported, scans for unpatched Microsoft Exchange servers have started on February 25, the same day Zero Day Initiative security researcher Simon Zuckerbraun published a report on CVE-2020-0688.
After his report, a new module targeting this flaw was added by Rapid7 to the Metasploit pen-testing tool following multiple proof-of-concept exploits having surfaced on GitHub.
Sigma rules for SIEM systems provided by Nextron Systems’s Florian Roth are available for detecting exploitation attempts against unpatched Exchange servers.
Microsoft Exchange Server RCE vulnerability
As Zuckerbraun explained, “any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server.”
“Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will,” he added. “Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete.”
The actively exploited vulnerability was found in the Exchange Control Panel (ECP) component and it is caused by Exchange’s failure to create unique cryptographic keys when installed.
After successfully exploited, it allows authenticated attackers to execute code remotely with SYSTEM privileges and fully compromise the exploited server.
Links to the security update descriptions for vulnerable Microsoft Exchange Server versions and download links are available in the table below:
“Fortunately, this vulnerability does require a compromised credential to exploit and, as a result, will stave off widespread automated exploitation such as those that often deploy cryptocurrency miners or ransomware,” Voxelity said.
“However, more motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated.”
Since no mitigating factors have been identified for this vulnerability according to Microsoft, the only choice left is to patch your servers — if you’re not willing to reset all users’ passwords to render all previously stolen credentials useless — before hackers will get to them and manage to fully compromise your entire network.
