Several government-sponsored groups of hackers are exploiting a recently patched vulnerability in Microsoft Exchange email servers.
The exploitation attempts were first discovered on Friday by the British cybersecurity company Volexity and confirmed today by a source in the DOD opposite ZDNet.
Volexity did not share the names of the hacking groups that were exploiting this Exchange vulnerability. Volexity has not returned a request for comment for additional details.
The DOD source described the hacking groups as “all major players” and declined to name groups or countries.
The Microsoft Exchange vulnerability
These government-sponsored groups of hackers are exploiting a vulnerability in Microsoft Exchange email servers that Microsoft patched last month, in February 2020 Patch Tuesday.
The vulnerability is reported under the ID of. tracked CVE-2020-0688. Below is a summary of the technical details of the vulnerability:
- During installation, Microsoft Exchange servers cannot generate a unique cryptographic key for the Exchange Control Panel.
- This means that all Microsoft Exchange email servers published in the last 10+ years use identical cryptographic keys (validationKey and decryptionKey) for the backend of their control panel.
- An attacker could send malformed requests to the Exchange Control Panel that contain malicious serialized data.
- Because hackers know the control panel’s encryption keys, they can ensure that the serialized data is deserialized, which leads to malicious code running on the back end of the Exchange server.
- The malicious code is executed with SYSTEM rights and gives attackers full control over the server.
Microsoft released patches for this bug on February 11th when it also warned system administrators to apply the fixes as soon as possible to anticipate future attacks.
Nothing happened for almost two weeks. However, it escalated towards the end of the month when the zero-day initiative that reported the bug to Microsoft released a technical report details the bug and how it works.
The report served as a roadmap for security researchers, who used the information it contained to create proof-of-concept exploits so they could test their own servers, create detection rules, and prepare countermeasures.
As in many other cases before, hackers became aware when technical details and proof-of-concept code became public.
On February 26, the day after the Zero Day Initiative report was published, groups of hackers began scouring the Internet for Exchange servers and compiling lists of vulnerable servers that they could attack at a later date. The first scans of this type were discovered by the threat intelligence company Bad Packets.
Now, according to Volexity, the scans for Exchange servers have become real attacks.
The first to turn this bug into a weapon were APTs – Advanced Persistent Threats, a term often used to describe government-sponsored groups of hackers.
However, other groups are expected to follow suit. Security researchers ZDNet spoke to today said they believe the bug will become very popular with usGangs who regularly target corporate networks.
Arming older, useless phishing credentials
However, this Exchange vulnerability is not easy to exploit. Security professionals don’t see this bug being misused by script kiddies (a term used to describe unskilled, low-level hackers).
To exploit the Exchange bug CVE-2020-0688, hackers need the credentials for an email account on the Exchange server – something that script kiddies usually don’t have.
The CVE-2020-0688 vulnerability is a so-called post-authentication bug. Hackers need to log in first and then run the malicious payload that hijacks the victim’s email server.
But while this restriction will keep script kiddies away, it won’t stop APTs and ransomware gangs, experts said.
APTs and ransomware gangs often spend most of their time launching phishing campaigns, after which they receive email credentials for a company’s employees.
If a company enforces two-factor authentication (2FA) on email accounts, those credentials are essentially useless because hackers cannot bypass 2FA.
Likewise: Protect Yourself: How to Choose the Right Two-Factor Authenticator App
The CVE-2020-0688 bug finally lets APTs find a use for those older 2FA-protected accounts that they phished months or years ago.
You can use any of these older credentials as part of the CVE-2020-0688 exploit without having to bypass 2FA but still take over the victim’s Exchange server.
Organizations that have “APTs” or “ransomware” in their threat matrix are advised to update their Exchange email servers with the February 2020 security updates as soon as possible.
All Microsoft Exchange servers are considered vulnerable, even end-of-life (EoL) versions. For EoL versions, companies should consider upgrading to a newer version of Exchange. If the Exchange server cannot be updated, it is recommended that organizations force a password reset for all Exchange accounts.
E-mail server takeover is the holy grail of APT attacks as it allows nation-state groups to intercept and read a company’s e-mail communications.
APTs have already targeted Exchange servers. Previous APTs that hacked Exchange include Turla (a Russia-related group) and APT33 (an Iranian group).
this Blog post from TrustedSec provides instructions on how to tell if an Exchange server has already been hacked from this error.