Hackers still looking to breach vulnerable Microsoft Exchange servers

Don Sharpe
by Don Sharpe
Author
0 Comments
Download PDF

Anti-hacking

Malicious actors have not stopped looking to exploit the CVE-2020-0688 vulnerability in internet-facing Microsoft Exchange servers, the National Security Agency (NSA) warned recently.

This particular threat would probably be nothing to write home about by now had all organizations with vulnerable servers patched as Microsoft had recommended.

According to a Tweet by the NSA, a hacker only needs valid email credentials to execute code on an unpatched server, remotely.

APT actors are actively breaching unpatched servers

News of a large-scale scan for unpatched MS Exchange servers surfaced on February 25, 2020. At that time, there was no single report of a successful server breach.

But a cybersecurity organization, Zero Day Initiative, had already published a proof-of-concept video, demonstrating how to execute a remote CVE-2020-0688 attack.

Now it looks like the search for exposed internet-facing servers has borne fruits to the agony of several organizations caught unawares. According to multiple reports, including a Tweet by a cybersecurity firm, there is active exploitation of Microsoft Exchange servers.

What is even more alarming is the involvement of Advanced Persistent Threat (APT) actors in the entire scheme.

Typically, APT groups are states or state-sponsored entities. They are known to have the tech and the financial muscle to stealthily attack some of the most heavily guarded corporate IT networks or resources.

Microsoft rated the severity of the CVE-2020-0688 vulnerability as important almost a month ago. However, the RCE loophole must still merit serious consideration today, seeing as the NSA is reminding the tech world about it.

Affected MS Exchange servers

Be sure to patch ASAP to forestall a potential disaster if you are still running an unpatched internet-facing MS Exchange server. There are security updates for the affected server versions 2010, 2013, 2016, and 2019.

When releasing the updates, Microsoft said that the vulnerability in question compromised the ability of the server to generate validation keys properly during installation. An attacker could exploit that loophole and execute malicious code in an exposed system, remotely.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

Most cybersecurity researchers believe that breaching an IT system this way may pave the way for denial of service (DDoS) attacks. Microsoft has not acknowledged receiving reports of such a breach, though.

For now, it appears that installing the patch is the only available remedy for the CVE-2020-0688 server vulnerability.