ink drop - stock.adobe.com

DHS Warns APT Attackers Exploiting Microsoft Exchange Server Flaw

Multiple APT hacking groups are actively targeting unpatched Microsoft exchange server flaws, DHS warns; if successful, an attacker could remotely install code with elevated privileges.

A critical vulnerability found in Microsoft exchange servers is actively being exploited by multiple APT hacking groups. A successful hack of an unpatched system would give an attacker remote access, according to a Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert.

The National Security Agency also advised organizations to review Microsoft’s mitigation guidance.

Known as CVE-2020-0688, the vulnerability is found in the Exchange mail and calendaring server control panel. The server fails to properly create unique keys at install time. And Microsoft warns that with knowledge of a the validation key, an authenticated user with a mailbox can pass “arbitrary objects to be deserialized by the web application, which runs as SYSTEM.”

Researchers warn the flaw is an attractive target for hackers as it would allow them to take control of an affected system. Microsoft released a patch for the flaw in February, but attackers are still actively targeting unpatched systems.

Volexity researchers recently shared insights into the attacks, which found a hacker could successfully exploit the flaw if three criteria were met, including failing to patch the vulnerability and an attacker accesses the exchange control panel interface.

Lastly, if a hacker gains working credentials that would allow them to access the affected control panel to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR value from a hidden field within the page source.”

“The credential leveraged by the attacker does not need to be highly privileged or have ECP access,” researchers noted. “In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use.”

“Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password,” they continued. “This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account.”

To Volexity, the exploit drives home the need for better password management policies, including periodically changing login credentials even with use of 2FA.

Hackers who successfully exploit the flaw have been observed running system commands to conduct reconnaissance, deploying webshell backdoor accessible through Microsoft Outlook on the web (OWA), and executing in-memory post-exploitation frameworks.

Volexity researchers have also detected multiple APT hacking groups using brute-force credentials on Exchange Web Servers, an effort likely to exploit the flaw.

“While brute-forcing credentials is a common occurrence, the frequency and intensity of attacks at certain organizations has increased dramatically following the vulnerability disclosure,” researchers warned.

“Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach,” they added.

If exploited, there are several ways organizations can detect the breach. Volexity shared steps IT leaders can take to monitor compromises through the exchange server exception log, application event log, web directories, and other services.

To mitigate the issue, organizations should apply the patch provided by Microsoft in February. Further, organizations should implement access control list (ACL) restrictions on the ECP virtual directory in IIS, as well as any web application firewall capability.

The ECP directory should also not be directly accessibly by anyone without a specific need to access it. IN an ideal situation, this would be disabling access from the internet or restricting the IPs from within the organization.

Lastly, it’s also strongly recommended organizations “expire passwords” and require periodic password updates. Researchers have frequently observed the use of old passwords that have resulted in serious data breaches. And accounts should be disabled that are no longer needed or that haven’t logged in the last 90 days.

“It is worth noting that 2FA may prevent the attack from being successful, as the attacker may not be able to acquire the data needed to exploit the vulnerability,” researchers wrote. “This vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password.”

“Staying current with patches is the best defense for an organization,” they added. “More motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated. If you have not already, apply these security updates immediately and look for signs of compromise.”

Next Steps

Dig Deeper on Cybersecurity strategies