Several Nation-State Groups Targeting Microsoft Exchange Servers

As part of Microsoft’s February Patch Tuesday a total of 99 vulnerabilities were patched. Much of the attention given to the event surrounded the patching of CVE-2020-0674, a zero-day vulnerability found in Internet Explorer that when exploited could potentially allow an attacker to execute arbitrary code through corrupting the scripting engine’s memory. This vulnerability was actively been targeted by hackers according to Microsoft in an advisory dated January 17, 2020. It was little wonder that this got the attention other than the other 98 patches released on patch Tuesday. However, some nation-state groups appear far more interested in CVE-2020-0688, a vulnerability found Microsoft’s Exchange Server which was described rather tersely by Microsoft as,

“A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”

According to security firm Volexity, nation-state groups have taken notice of this particular vulnerability and looking to exploit unpatched Exchange Servers. An article published by the security firm details how nation-state or otherwise known as advanced persistent threat groups are actively trying to exploit the vulnerability, more on this later.

hacker groups targeting Microsoft exchange servers

Two weeks after the vulnerability was disclosed the Zero Day Initiative published an article providing more detail on the disclosed flaw. According to the article the vulnerability was reported to us by an anonymous researcher and affects all supported versions of Microsoft Exchange Server up until the recent patch. In more detail than the Microsoft post the Zero Day Initiative summarized the flaw as follows,

“Specifically, the bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.”

If correctly exploited the attacker can run malicious code on the server’s backend. The technical report published by the Zero Day Initiative allowed researchers to start working on proof-of-concept code that would allow them to test their servers, create detection rules, as well as develop successful mitigation strategies. As is typical of the environment some of these proof-of-concept code bases made their way onto GitHub. Posts by Ridter, Yt1g3R, and justin-p are currently accessible. Further, Rapid 7 released a module that would incorporate this exploit into the Metasploit penetration testing framework. Unfortunately, it was not only security researchers taking note of the flaw but so were nation-state groups.

Nation-State Tactics

According to Volexity, nation-state groups are using credentials previously stolen that they had no use for. Simple passwords attached to accounts or old disused products are what the nation-state actors are looking to use to successfully exploit this flaw. If the target has two-factor authentication (2FA) activated on an account then this severely limits what the attacker can do. Researchers noted that the attackers either used Exchange credentials or attempted brute force credential stuffing attacks on vulnerable Exchange servers. This is a required step to exploiting the flaw as the flaw can only be exploited once the attacker has authenticated themselves. Only once logged in can the attacker begin the process of hijacking the targeted email server.

This requirement means that unskilled hackers are unlikely to pass the first test as it is only nation-state and APT groups that will have the skills needed to initially steal the relevant credentials. This process is often done via phishing campaigns conducted sometime before. The exploitation of this flaw will be high on certain agendas as hijacking an email server would allow a nation-state group to not only read company communications but better craft campaigns to specifically target the company with a greater possibility of success. Researchers have another worry in that once nation-state groups have successfully exploited the vulnerability the skills need will filter down to other groups more financially motivated. If this occurs ransomware attacks may be developed that exploit this flaw.

In protecting against company email servers been hijacked via the Exchange flaw detailed above it is important to ensure that the Microsoft patch has been applied. All Exchange servers are considered vulnerable to exploitation so patching is the first line of defense. Further, admins should ensure strong passwords are used and also changed at regular intervals. Two-factor authentication should be used wherever possible. In summary Volexity, researchers concluded that,

“The latest Microsoft Exchange ECP vulnerability has provided attackers with another opportunity to break into organizations where they may previously have been unsuccessful. Staying current with patches is the best defense for an organization. Fortunately, this vulnerability does require a compromised credential to exploit and, as a result, will stave off widespread automated exploitation such as those that often deploy cryptocurrency miners or ransomware. However, more motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated. If you have not already, apply these security updates immediately and look for signs of compromise.”

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal