Malicious Hacker Groups Found Exploiting Recently-Patched Memory Corruption Bug in Microsoft Exchange Email Server

  • The flaw is tracked as CVE-2020-0688.
  • The flaw gives attackers the ability to access sensitive data related to an organization.

On February 11, 2020, Microsoft had released cumulative security updates for multiple vulnerabilities found in its products. One of these included a fix for a remote code vulnerability that existed in the Exchange Control Panel Panel (ECP) and affected Microsoft Exchange email servers 2010, 2013, 2016, and 2019.

Although a patch to address the flaw has been released, there seems to be a large number of Microsoft Exchange servers that are still to be patched. However, threat actors have started seeing this as an opportunity to conduct malicious activities.

What is the update?
According to researchers from Volexity, government-backed hacker groups are actively scanning the internet for Microsoft Exchange servers that are vulnerable to a remote code execution flaw tracked as CVE-2020-0688.

The flaw gives attackers the ability to access sensitive data related to an organization.

Conditions under which the exploitation occurs 
A Microsoft Exchange server vulnerable to the RCE flaw can be exploited if the following three criteria are met:
  • The Exchange Server has not been patched since February 11, 2020.
  • The Exchange Control Panel (ECP) interface is accessible to the attackers.
  • The attackers have a list of working credentials that allow them to access the ECP in order to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR value from a hidden field within the page source.

What is the impact?
In recent attacks, Volexity observed the Exchange ECP vulnerability allowed attackers to:
  • Run system commands to conduct reconnaissance.
  • Deploy webshell backdoor accessible via OWA.
  • Execute in-memory post-exploitation frameworks.

Bottom line
Exploiting vulnerabilities in unpatched servers is not new. In 2019, attackers had widely exploited two well-known vulnerabilities in the Oracle WebLogic server (CVE-2019-2725) and Atlassian Confluence server (CVE-2019-3396) to launch attacks. The vulnerabilities were exploited in large to deploy ransomware and other malware. Therefore, it is very necessary to patch the vulnerabilities with security updates as soon as possible.