NSA warns state-sponsored hackers are exploiting Microsoft Exchange Server vulnerability
Both the NSA and a cybersecurity firm have reminded the tech world of the existence of a remote code execution vulnerability in Microsoft Exchange Server.
Although Microsoft issued a patch for CVE-2020-0688 last month, numerous state-sponsors hacking groups have been spotted exploiting the vulnerability. There was an uptick in exploitation after a technical report of the details of the vulnerability were published by a security researcher.
Towards the end of February, Simon Zuckerbraun from the Zero Day Initiative published a detailed writeup about the problem with Exchange Server, seemingly handing valuable information to hackers-in-waiting.
Microsoft has indicated that the patch for the vulnerability is Important, noting that it affects Microsoft Exchange Server 2010, 2013, 2016 and 2019. The company describes the security issue: "A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM".
The NSA tweeted a simple reminder of the existence of the vulnerability:
A remote code execution #vulnerability (CVE-2020-0688) exists in Microsoft Exchange Server. If unpatched, an attacker with email credentials can execute commands on your server.
Mitigation Guidance available at: https://t.co/MMlBo8BsB0
— NSA/CSS (@NSAGov) March 7, 2020
A source at the Department of Defense later confirmed to ZDNet that multiple government-backed hacking groups, described as "all the big players", were attacking unpatched servers. Cybersecurity firm Volexity also tweeted a warning:
Active exploitation of Microsoft Exchange servers by APT actors via the ECP vulnerability CVE-2020-0688. Learn more about the attacks and how to protect your organization here: https://t.co/fwoKvHOLaV#dfir #threatintel #infosec pic.twitter.com/2pqe07rrkg
— Volexity (@Volexity) March 6, 2020
In a blog post, the company offers advice to mitigate against the vulnerability:
The most obvious way to address this vulnerability is to apply the security updates made available from Microsoft on February 11, 2020. Another best practice that Volexity has long advised is to place access control list (ACL) restrictions on the ECP virtual directory in IIS and/or via any web application firewall capability. Volexity recommends that the ECP directory not be accessible to anyone that does not specifically need to access it. Ideally, this means disabling access from the Internet and even restricting which IPs within an organization can reach it. It is worth noting that 2FA may prevent the attack from being successful, as the attacker may not be able to acquire the data needed to exploit the vulnerability.
Volexity also strongly recommends that organizations continue to expire passwords and require users to update passwords periodically. Despite various guidance about passwords never needing to be changed, Volexity frequently works cases where old passwords resulted in serious data breaches. This vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password. Furthermore, Volexity recommends disabling accounts that are no longer needed or that have not logged in for extended periods of time (e.g., greater than 90 days).