Saturday, January 16, 04:03
Home security Microsoft Exchange servers: Government hacking teams take advantage of the bug!

Microsoft Exchange servers: Government hacking teams take advantage of the bug!

Multiple government-backed groups are exploiting a vulnerability in the recently released patches of Microsoft Exchange email servers.

The exploitation efforts were first identified by the company Volexity which deals with cybersecurity based in United Kingdom on Friday and were confirmed today by ZDNet from a source.

Volexity did not share the names of hacking groups exploiting this Exchange vulnerability. The source described the hacking teams as "all the big players", but also declined to name teams or countries.

The vulnerability of Microsoft exchange

These government support groups exploit a vulnerability in Microsoft Exchange email servers, which Microsoft updated last month.

The vulnerability is monitored with the CVE-2020-0688 ID. The following is a summary of the technical details of the vulnerability:

  • During installation, Microsoft Exchange servers fail to create a unique cryptographic key for the Exchange control panel.
  • This means that all Microsoft Exchange email servers released in the last 10 years use identical cryptographic keys (validationKey and decryptionKey) for their backend control panel.
  • Attackers can send distorted requests to the Exchange control panel containing malicious serial data.
  • Since hackers know the control panel's encryption keys, they can ensure that the serial data is not raw, resulting in malicious code on the backend of the Exchange server.
  • The malicious code is executed with SYSTEM permissions, giving the attackers complete control of the server.

Microsoft released patches for this error on February 11, when it also warned system administrators to install the patches as soon as possible, predicting future attacks.

Nothing happened for almost two weeks. Things escalated towards the end of the month, however, when the Zero-Day Initiative, which reported the bug to Microsoft, published a technical report detailing the bug and how it worked.

The report served as a roadmap for security researchers, who used the information contained therein to build forensic tests. methods, so they can test their own servers and create crawl rules and prepare mitigations.

At least three of these proof-of-concepts were found on GitHub [1, 2, 3]. Soon a Metasploit unit followed.

As in many other cases, when technical details and code were released publicly, hackers also began to pay attention.

On February 26, the day after the launch of the Zero-Day Initiative report, hacker teams began scanning the Internet for Exchange servers, compiling lists of vulnerable servers that could later be targeted. The first scans of this type were detected by Intel Bad Packets.

Now, according to Volexity, scans for Exchange servers have turned into real attacks.

The first to use this error were APTs, a term often used to describe state-funded hacker groups.

However, other groups are also expected to follow suit. Security researchers say they expect the bug to become very popular in gangs ransomware targeting regular networks operational.
However, this Exchange vulnerability is not easy to exploit. Security experts don't see this bug compromised by script kiddies (a term used to describe low-level, unskilled hackers).

To exploit the Exchange CVE-2020-0688 error, hackers need the credentials of an Exchange email - something script kiddies usually do not have.

CVE-2020-0688 security error is a so-called error afterwards authentication. Hackers must first log in and then execute the malicious payload that hijacks the victim's email server.

But while this restriction will keep baby scripts away, it will not keep them APTs and ransomware gangs, experts said.

APTs and ransomware gangs often spend most of their time launching phishing campaigns (Phishing), through which they obtain the email credentials of employees of a company.

If an organization imposes two-factor authentication (2FA) on email accounts, these credentials are essentially useless, as hackers cannot bypass 2FA.

Error CVE-2020-0688 allows APTs to finally find a purpose for older 2FA-protected accounts that were removed months or years ago.

They can use any of these older credentials without having to bypass 2FA, but even manage to manage their Exchange server victim.

Organizations that have "APTs" or "ransomware" in the threat matrix are advised to update their Exchange email servers with the February 2020 security updates as soon as possible.

Hacking email servers is the most important point of APT attacks, as it allows them to monitor and read  communications by email of a company.

This post from TrustedSec contains instructions on how to detect an Exchange server that has already been hacked through this error.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...