Several APT Organizations are secretly Exploiting Microsoft Exchange Servers, say Researchers.


In Microsoft Exchange servers, researchers report that various vulnerabilities are being deliberately exploited. The vulnerability allows authenticated attackers to remotely execute code with system privileges, when left unpatched.

In the control panel for Exchange, Microsoft mail server, and calendar server the bug (CVE-2020-0688) in question exists, and has been patched in the February Patch updates to Microsoft. In a Friday advisory, however, researchers said unbundled servers are exploited extensively by anonymous APT actors.

We have seen that many Chinese APT members exploit or try to exploit this bug, "said Steve Adair, founder and chairman of Volexity. I suspect, however, that this vulnerability is now owned by operators around the world, and some businesses that have not patched or patched quickly enough will unfortunately pay the price.

Since Microsoft fixed the bug in February, researchers provided more data on the flaw with the Zero Day Initiative (ZDI), which revealed first the vulnerability. And on March 4, Rapid7 launched an attack module in the Metasploit penetration test case.

Exchange Control Panel (ECP), a web-based administrator management system introduced in Exchange Server 2010, includes this vulnerability. Particularly all ECP configuration installations have the same cryptographic key values, rather than cryptographic keys which are generated randomly per installation.

 These encryption keys provide ViewState protection (the server-side data that ASP.NET web applications store on the client in a serialized format).

According to ZDI, if the ECP interface is open to the attacker, and the attacker's working credential allows them to access the ECP, the vulnerable server could be abused by the attacker when it was unpatched (before the 11th of February 2020).
 After having accessed the ECP with compromised credentials, attackers can use the fixed cryptographic keys to deserialize ViewState data and then take the server over Exchange servers.

Brian Gorenc, head of vulnerability analysis and ZDI's Trend Micro's head, told Threatpost about the seriousness of this bug when we purchased it. "That is why we have collaborated with Microsoft for arranging divulgation to be patched and we have provided Defenders with detailed information through our blog.

We thought this administrators from Exchange will find this rather than Necessary as Microsoft-listed as a critical patch. In order to safeguard against this vulnerability we advise everyone to apply the patch as soon as possible.

Researchers said the specified credential does not have to be highly privileged or even ECP access, while it needs an attacker to leverage the exploit.

After disclosure of technical details on the bug, researchers noted that they found many Suitable groups trying to use Exchange Web Services (EWS) to brute power authentication. Such groups probably made efforts to exploit the flaw.

The frequency and intensity of attacks against certain organizations has dramatically increased following the discovery of a vulnerability though brute-forcing credentials are normal.

 Researchers said that because of the similarity of their IP addresses from other previous attacks they suspect that these attempts are made by "established APT parties." The credentials used were also linked in some cases to the APT community infringements.


Adair told Hackers Review in the coming months that it could easily hit hundreds of organizations. "We saw only a handful of different servers and organizations, from our point of view," said Adair. "I suspect, however, that attackers worldwide will have access to and will not be able to use compromised credentials."

Researchers advise organizations, in addition to setting access control list limits on ECP's virtual directory or any firewall functionality on web application, to ensure they are current to Microsoft security updates. Companies should also hold expiring passwords and require users to regularly change passwords, researchers have said.

"This vulnerability illustrates a case in which an organization is lockable, have implemented 2FA properly, and still have a missing or poor password accident," said scientists.
Previous Post Next Post

Found this article interesting? Follow Hackers Review on Facebook, Twitter  and Telegram to read more exclusive content we post.