Hackers scan network for vulnerable Microsoft Exchange servers

Hackers Scan Microsoft Exchange

Information security experts warn that hackers are already scanning the network for Microsoft Exchange servers that are vulnerable to CVE-2020-0688, which Microsoft developers fixed two weeks ago.

The problem is related to the operation of the Exchange Control Panel (ECP) component and the inability of Microsoft Exchange to create unique cryptographic keys during installation.

“The bug allows authenticated attackers remotely execute arbitrary code with SYSTEM privileges and completely compromise the vulnerable server”, – describe the problem Microsoft experts.

Demonstration of the problem with using static cryptographic keys on an unpatched server has already been published by Zero Day Initiative (see video below). Researchers warn that any remote attacker, which compromises the device or credentials of an employee of the company, will be able to go to the Exchange server and will be able to read and fake corporate mail.

Well-known information security experts Kevin Beaumont and Troy Mursch from Bad Packets are already warning about mass scanning of the network in search of vulnerable servers.

“CVE-2020-0688 mass scanning activity has begun. That was quick, since 2 hours ago seeing likely mass scanning for CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability)”, — writes Kevin Beaumont.

Experts point out that authentication on target servers is not a problem for attackers. They pass it through with the tools for collecting information about company employees on LinkedIn, and then use this data, combined with credential stuffing, and also Outlook Web Access (OWA) and ECP.

“This vulnerability just spills credentials. You are logged in with SYSTEM privileges. Start Mimikatz. Exchange stores user credentials in memory, in plain text format, so you end up with all user passwords without hashing”, – writes Kevin Beaumont.

Administrators of the vulnerable server recommend installing patches as soon as possible.

I also recall that recently Microsoft advised administrators to disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *