Multiple state-sponsored hacking groups are exploiting a vulnerability in Microsoft Exchange email Servers that the company patched in February. The exploitation attempts were first spotted by UK cyber-security firm Volexity on Friday. Volexity confirmed that exploitation of this security flaw began in late February, with several organizations already having their networks compromised after state-backed advanced persistent threats (APT) groups exploited the CVE-2020-0688 flaw.
The vulnerability exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The CVE-2020-0688 security flaw is a post-authentication bug. Hackers first need to log in and then run the malicious payload that hijacks the victim’s email server.
Microsoft patched this RCE security flaw as part of the February 2020 Patch Tuesday and tagged it with an “Exploitation More Likely” exploitability index assessment hinting at CVE-2020-0688 being an attractive target for attackers.
On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, gathering lists of vulnerable servers they could target at a later date.
Now, the scans for Exchange servers have turned into actual attacks.
The first ones to weaponize this bug were APTs (advanced persistent threats) a term often used to describe state-sponsored hacker groups.
“This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account,” said security researchers.
Links to the security update descriptions for vulnerable Servetr versions and download links are available in the table below:
|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30||4536989||Security Update|
|Microsoft Exchange Server 2013 Cumulative Update 23||4536988||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 14||4536987||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 15||4536987||Security Update|
|Microsoft Exchange Server 2019 Cumulative Update 3||4536987||Security Update|
|Microsoft Exchange Server 2019 Cumulative Update 4||4536987||Security Update|
All Microsoft Exchange servers are considered vulnerable, even versions that have gone end-of-life (EoL). For EoL versions, organizations should look into updating to a newer Exchange version. If updating the Exchange server is not an option, companies are advised to force a password reset for all Exchange accounts.
Secure Your Organization’s Mind with Securemind.se