Multiple government-backed groups are exploiting a vulnerability in the recently released patches of Microsoft Exchange email servers.
Volexity did not share the names of hacking groups exploiting this Exchange vulnerability. The source described the hacking teams as "all the big players", but also declined to name teams or countries.
The vulnerability of Microsoft exchange
These government support groups exploit a vulnerability in Microsoft Exchange email servers, which Microsoft updated last month.
The vulnerability is monitored with the CVE-2020-0688 ID. The following is a summary of the technical details of the vulnerability:
- During installation, Microsoft Exchange servers fail to create a unique cryptographic key for the Exchange control panel.
- This means that all Microsoft Exchange email servers released in the last 10 years use identical cryptographic keys (validationKey and decryptionKey) for their backend control panel.
- Attackers can send distorted requests to the Exchange control panel containing malicious serial data.
- Since hackers know the control panel's encryption keys, they can ensure that the serial data is not raw, resulting in malicious code on the backend of the Exchange server.
- The malicious code is executed with SYSTEM permissions, giving the attackers complete control of the server.
Microsoft released patches for this error on February 11, when it also warned system administrators to install the patches as soon as possible, predicting future attacks.
Nothing happened for almost two weeks. Things escalated towards the end of the month, however, when the Zero-Day Initiative, which reported the bug to Microsoft, published a technical report detailing the bug and how it worked.
The report served as a roadmap for security researchers, who used the information contained therein to build forensic tests. methods, so they can test their own servers and create crawl rules and prepare mitigations.
At least three of these proof-of-concepts were found on GitHub [1, 2, 3]. Soon a Metasploit unit followed.
As in many other cases, when technical details and code were released publicly, hackers also began to pay attention.
On February 26, the day after the launch of the Zero-Day Initiative report, hacker teams began scanning the Internet for Exchange servers, compiling lists of vulnerable servers that could later be targeted. The first scans of this type were detected by Intel Bad Packets.
Now, according to Volexity, scans for Exchange servers have turned into real attacks.
The first to use this error were APTs, a term often used to describe state-funded hacker groups.
However, other groups are also expected to follow suit. Security researchers say they expect the bug to become very popular in gangs ransomware targeting regular networks operational.
However, this Exchange vulnerability is not easy to exploit. Security experts don't see this bug compromised by script kiddies (a term used to describe low-level, unskilled hackers).
To exploit the Exchange CVE-2020-0688 error, hackers need the credentials of an Exchange email - something script kiddies usually do not have.
CVE-2020-0688 security error is a so-called error afterwards authentication. Hackers must first log in and then execute the malicious payload that hijacks the victim's email server.
But while this restriction will keep baby scripts away, it will not keep them APTs and ransomware gangs, experts said.
APTs and ransomware gangs often spend most of their time launching phishing campaigns (Phishing), through which they obtain the email credentials of employees of a company.
If an organization imposes two-factor authentication (2FA) on email accounts, these credentials are essentially useless, as hackers cannot bypass 2FA.
Error CVE-2020-0688 allows APTs to finally find a purpose for older 2FA-protected accounts that were removed months or years ago.
They can use any of these older credentials without having to bypass 2FA, but even manage to manage their Exchange server victim.
Organizations that have "APTs" or "ransomware" in the threat matrix are advised to update their Exchange email servers with the February 2020 security updates as soon as possible.
Hacking email servers is the most important point of APT attacks, as it allows them to monitor and read communications by email of a company.
This post from TrustedSec contains instructions on how to detect an Exchange server that has already been hacked through this error.