Several groups of nation states hack Microsoft Exchange Vulnerability

A number of government-supported hacking groups exploit a recent patch vulnerability in Microsoft Exchange email servers.

Microsoft Exchange Control Panel (ECP) Vulnerability CVE-2020-0688 Exploited. Microsoft released cumulative updates and a service pack that addressed a remote code execution vulnerability found in Microsoft Exchange 2010, 2013, 2016, and 2019. The vulnerability was discovered by an anonymous security researcher and reported to Microsoft by way of Trend Micro’s Zero Day Initiative.

Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server,

The exploits were first detected by British cybersecurity company Volexity. Volexity did not share the names of the hacking groups that exploit this Exchange vulnerability. Volexity did not return a comment request for additional details.

Microsoft Exchange vulnerability(MEV)

These state-sponsored hacking groups exploit a vulnerability in the Microsoft Exchange email servers that Microsoft hacked last month, on the Patch Tuesday in February 2020.

The vulnerability is traced under the ID of CVE-2020-0688. The following is a summary of the technical details of the vulnerability:

· During installation, Microsoft Exchange servers do not create a unique cryptographic key for the Exchange Control Panel.

· This means that all Microsoft Exchange email servers launched over the past ten years use the same cryptographic keys (validationKey and decryptionKey) for control panel support.

· Attackers can submit malicious requests to the Exchange Control Panel that contain malicious serialized data.

· Since hackers know the encryption keys in the control panel, they can make sure that serialized data is not serialized, which generates malicious code that runs on the backend of the Exchange server.

· The malicious code is executed with system privileges, giving the attackers full control of the server.

Microsoft released patches for this error on February 11, when it also warned sysadmins to install solutions as soon as possible, foreseeing future attacks.

How Attackers Exploit Microsoft Exchange

As a result of this vulnerability, attackers take advantage of a function with the Exchange Web Services API called ‘PushSubscriptionRequest’, which is used to cause the Exchange server to connect to an arbitrary website. The attacker would then relay over the NTLM authentication back to the Exchange Server or, more critically, back to the domain controller. Because the Exchange Windows Permissions group has access to the Domain object, the privileges can be obtained from Exchange. The relayed NTLM credentials will be used in an LDAP session, if LDAP server signing is not enabled, or LDAPS in the event that an attacker wishes to exploit CVE-2017-8563 (originally discovered by Preempt Research Labs). In that LDAP/S session, the attacker can be used to gain domain replication privileges that later will be used to launch a DCSync attack and compromise all accounts in the domain.

All Microsoft Exchange servers are considered vulnerable, even life-threatening (EoL) versions. For EoL versions, organizations should look for the upgrade to a newer Exchange version. If updating the Exchange server is not an option, companies are encouraged to reset a password for all Exchange accounts.

Grabbing email servers is the Holy Grail of APT attacks, as this allows nation-state groups to intercept and read a company’s email communications.

Historically, APTs have previously served with Exchange servers. Previous APTs that have hacked Exchange include Turla (a Russia-linked group) and APT33 (an Iranian group).