Microsoft has warned Exchange customers to patch their servers urgently after reporting a surge in attacks exploiting an Internet Information Service (IIS) vulnerability.
That flaw, CVE-2020-0688, was patched in February, but attackers are still finding victims compromised by such attacks. With access to the targeted server, hackers often deploy a web shell to steal data or perform other malicious actions in the future, explained Hardik Suri of the Microsoft Defender ATP Research Team.
Multiple APT groups were detected exploiting the bug back in March, but a month later 350,000 servers were still unpatched, according to Rapid7.
“If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” Suri added.
“This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”
Following a web shell deployment, attackers may perform reconnaissance, perhaps using EternalBlue to identify vulnerable machines on the network. If the server has been misconfigured, they may have gained privileges that enable them to add a new account for persistence.
Compromised Exchange servers can also enable credential access for some of the “most sensitive users and groups in an organization,” said Suri.
Lateral movement, Exchange Management Shell abuse, remote access and exfiltration typically follow, he added.
Apart from applying the latest security updates, Microsoft recommended Exchange server customers keep anti-virus and other protections on at all times, review highly privileged groups, restrict access and prioritize alerts.