Microsoft Exchange Server Flaw Exploited in APT Attacks

A vulnerability is Microsoft Exchange servers is being actively exploited by multiple APT groups, researchers warn.

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.

The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.

“What we have seen thus far are multiple Chinese APT group exploiting or attempting to exploit this flaw,” Steven Adair, founder and president of Volexity, told Threatpost. “However, I think it is safe to say that this exploit is now in the hands of operators around the world and unfortunately some companies that have not patched yet or did not patch quickly enough are likely to pay the price.”

Attacks first started late February and targeted “numerous affected organizations,” researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.

After Microsoft patched the flaw in February researchers with the Zero Day Initiative (ZDI), which first reported the vulnerability, published further details of the flaw and how it could be exploited. And, on March 4, Rapid7 published a module that incorporated the exploit into the Metasploit penetration testing framework.

The vulnerability exists in the Exchange Control Panel (ECP), a web-based management interface for administrators, introduced in Exchange Server 2010. Specifically, instead of having cryptographic keys that are randomly generated on a per-installation basis, all installations in the configuration of ECP have the same cryptographic key values. These cryptographic keys are used to provide security for ViewState (a server-side data that ASP.NET web applications store in serialized format on the client).

According to ZDI, an attacker could exploit a vulnerable Exchange server if it was unpatched (before Feb. 11, 2020), if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.

“We realized the severity of this bug when we purchased it,” Brian Gorenc, director of vulnerability research and head of Trend Micro’s ZDI program told Threatpost via email. “That’s why we worked with Microsoft to get it patched through coordinated disclosure, and it’s why we provided defenders detailed information about it through our blog. We felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.”

Researchers said, while an attacker would need a credential to leverage the exploit, the credential does not need to be highly privileged or even have ECP access.

After technical details of the flaw were disclosed, researchers said they observed multiple APT groups attempting to brute force credentials by leveraging Exchange Web Services (EWS), which they said was likely an effort to exploit this vulnerability.

“While brute-forcing credentials is a common occurrence, the frequency and intensity of attacks at certain organizations has increased dramatically following the vulnerability disclosure,” researchers said.

Researchers said they believe these efforts to be sourced from “known APT groups” due to the overlap of their IP addresses from other, previous attacks. Also, in some cases, the credentials used were tied to previous breaches by the APT groups.

In the coming months, Adair told Threatpost he suspects there could easily be hundreds of organizations being hit with this exploit.

“From our perspective the successful attacks we have seen are just a handful of different servers and organizations,” Adair said. “However, I would expect that attackers have been access compromised credentials all around the world and are not able to make better use of them.” 

Researchers encourage organizations to ensure that they’re up to date on security updates from Microsoft, as well as place access control list (ACL) restrictions on the ECP virtual directory or via any web application firewall capability. Firms should also continue to expire passwords and require users to update passwords periodically, researchers said.

“This vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password,” said researchers.

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles