Multiple nation-state groups are hacking Microsoft Exchange servers


Digital Technology Unlocked

Cloud SecurityCyber SecurityTech News

Multiple nation-state groups are hacking Microsoft Exchange servers

ms exchange

Multiple government-backed hacking groups are exploiting a recently-patched vulnerability in Microsoft Exchange email servers.

The exploitation attempts were first spotted by UK cyber-security firm Volexity on Friday and confirmed today to ZDNet by a source in the DOD.

Volexity did not share the names of the hacking groups exploiting this Exchange vulnerability. Volexity did not return a request for comment for additional details.

The DOD source described the hacking groups as “all the big players,” also declining to name groups or countries.

The Microsoft Exchange vulnerability

These state-sponsored hacking groups are exploiting a vulnerability in Microsoft Exchange email servers that Microsoft patched last month, in the February 2020 Patch Tuesday.

The vulnerability is tracked under the identifier of CVE-2020-0688. Below is a summary of the vulnerability’s technical details:

  • During installation, Microsoft Exchange servers fail to create a unique cryptographic key for the Exchange control panel.
  • This means that all Microsoft Exchange email servers released during the past 10+ years use identical cryptographic keys (validationKey and decryptionKey) for their control panel’s backend.
  • Attackers can send malformed requests to the Exchange control panel containing malicious serialized data.
  • Since hackers know the control panel’s encryption keys, they can ensure the serialized data is unserialized, which results in malicious code running on the Exchange server’s backend.
  • The malicious code runs with SYSTEM privileges, giving attackers full control of the server.

Microsoft released patches for this bug on February 11, when it also warned sysadmins to install the fixes as soon as possible, anticipating future attacks.

Nothing happened for almost two weeks. Things escalated towards the end of the month, though, when the Zero-Day Initiative, who reported the bug to Microsoft, published a technical report detailing the bug and how it worked.

The report served as a roadmap for security researchers, who used the information contained within to craft proof-of-concept exploits so they could test their own servers and create detection rules and prepare mitigations.

At least three of these proof-of-concepts found their way on GitHub[123]. A Metasploit module soon followed.

Just like in many other cases before, once technical details and proof-of-concept code became public, hackers also began paying attention.

On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets.

Now, according to Volexity, the scans for Exchange servers have turned into actual attacks.

The first ones to weaponize this bug were APTs — “advanced persistent threats,” a term often used to describe state-sponsored hacker groups.

However, other groups are also expected to follow suit. Security researchers to whom ZDNet spoke earlier today said they anticipate that the bug will become very popular with ransomware gangs who regularly target enterprise networks.

Weaponizing older, useless phished credentials