Getty Images

Microsoft Again Urges Exchange Server Patch, as Attacks Resurge

DHS first alerted to an increase in attacks on a critical Microsoft Exchange server vulnerability in March. The tech giant issued a repeat warning, as researchers have detected a resurgence in attacks.

Microsoft is once again urging organizations to apply a patch to a critical vulnerability found in some Exchange Servers. The Department of Homeland Security first alerted to a surge in attacks on the CVE-202-0688 flaw by advanced persistent threat actors in March.

The flaw is found the Exchange mail and calendaring server control panel, which fails to properly create unique keys during its install. If an attacker has knowledge of the validation key, an authenticated user with a mailbox can pass “arbitrary objects to be deserialized by the web application, which runs as SYSTEM.”

The vulnerability is attractive to hackers as it would allow them to take control over an affected system.

Microsoft released a patch for the memory corruption vulnerability in early February. But researchers warned organizations were slow to patch the flaw, despite a surge in hackers actively exploiting it in the wild.

Now researchers have once again seen a rapid increase in attempted exploits.

Hackers compromise the flaw in two ways. In the most common method, attackers leverage social engineering or drive-by download attacks to target endpoints to steal credentials and move laterally to other endpoints.

The attack is a “dump-escalate move” to gain access to the Exchange Server.

The second, less common method, is even more desirable to attackers, as it would provide access to the underlying Internet Information Service (IIS), a component of the Exchange server. If an affected system has misconfigured access levels, it would give a hacker system privileges.

“If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” researchers warned in the lates alert. 

“This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions,” they added. “Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

In particular, access to misconfigured servers allow hackers access to the highest privileges,giving them the ability to add new user accounts without the need to deploy remote access tools.

As a result, a hacker then would gain access to high privilege groups, including administrators, remote desktop users,and enterprise admins, “practically making the attackers a domain admin with unrestricted access to any users or groups in the organization.”

Further, at part of the lateral movement, the hackers actually attempted to disable security tools and disable archive scanning to bypass detection.

Microsoft urged organizations to apply the latest security patches to prevent compromise, ensuring antivirus and other security protections are consistently enabled. IT administrators should review access controls of sensitive roles and groups, while restricting system access.

Lastly, organizations should prioritize alerts and immediately investigate suspicious activity on Exchange servers. Endpoint detection and response tools can also help security leaders better detect suspicious activity.

“As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques,” researchers concluded. “For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks.”

“Even in cases where non-system binaries were introduced, they were either legitimate and signed, like plink.exe, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk,” they added.

Next Steps

Dig Deeper on Cybersecurity strategies