APT Groups Attack Exchange Servers Via Patched Flaw

Multiple likely state-backed APT groups have been detected exploiting a recently patched Microsoft flaw to target Exchange servers.

The vulnerability in question, CVE-2020-0688, was discovered by an anonymous security researcher and reported to Microsoft via Trend Micro’s Zero Day Initiative (ZDI). It was fixed in the February Patch Tuesday update round, but discovered by Volexity around two weeks later being exploited in the wild.

The flaw is found in the Exchange Control Panel (ECP) component and results from “Exchange Server failing to properly create unique cryptographic keys at the time of installation,” according to the ZDI.

It works on unpatched systems but only if the ECP interface is accessible to the attacker and if they have a working credential to access the ECP.

“In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password,” explained Volexity.

“This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA.”

So far, the firm has observed attackers exploiting the bug to run systems commands to conduct reconnaissance, deploy a webshell backdoor accessible via OWA, and execute in-memory post-exploitation frameworks.

They have also been trying to brute force their way to exploitation via Exchange Web Services (EWS).

While the need for a compromised credential will put off many low-level black hats, more motivated hackers will certainly present a threat to organizations that have not yet patched, Volexity concluded.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

What’s Hot on Infosecurity Magazine?