Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688.

Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately.

Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network.

“Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions,” warns Microsoft. “Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

Microsoft explained that the CVE-2020-0688 vulnerability is an attacker’s dream. They do not need to use phishing and social engineering tactics to try to gain access to an admin account, they can simply attack the server directly.

An analysis of attacks conducted in April show APT groups are deploying web shells, running exploratory commands to perform reconnaissance, and uses EternalBlue to identify other machines on the network to attack. If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.

A new account is added that makes the attacker a domain admin with unrestricted access to users or group in the organization. The attackers have used the compromised servers to gain access to the credentials of some of the most sensitive users and groups in an organization.

Attackers are exploiting the vulnerability and gaining a stable foothold in the targeted organization’s network. They tamper with security tools, achieve lateral movement, establish remote access bypassing security restrictions, and have exfiltrated data, including entire mailboxes. The failure to apply the patch to correct the flaw could result in an extensive and costly data breach.

In addition to applying the patch, Microsoft recommends remediating any further vulnerabilities in Exchange servers immediately, installing antivirus software on Exchange servers and keeping the software up to date, and also turning on tamper protection features to prevent attackers from disabling security services.

The principle of least-privilege should be practiced, credential hygiene should be maintained, and reviews should be conducted to identify any highly privileged groups that have been added. Security teams are also advised to respond immediately to alerts about suspicious activities on Exchange servers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.