Security researcher have disclosed information of an attack that exploits a vulnerability in Microsoft Exchange. UK cyber-security company Volexity says several hacking groups have targeted the flaw, which has already been patched by Microsoft. Interestingly, the firm says the groups are government-backed hackers.
However, Volexity did not disclose which groups it believes are perpetrating the exploit. The company also did not expand on details.
Instead, the Department of Defense (DoD) confirmed the attacks to ZDNet and said the hacking groups are “all the big players”.
The vulnerability in question is location in Microsoft Exchange and labeled as CVE-2020-0688. Below is how Microsoft describes the flaw in its official security posting:
“A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.”
It is worth noting Microsoft rolled out a fix for this vulnerability during last months' Patch Tuesday on February 11. Redmond believed the bug could be exploited so urged users and admins to update as soon as possible.
Many people seemingly did not heed that warning and since the back in of February attacks have been happening. Three proof-of-concepts have been found on GitHub [1, 2, 3] and hackers have now targeted the zero-day.
Exploit
Volexity points out the real attacks have started, although exploiting the Microsoft Exchange vulnerability is not easy. The company says only high-level hackers would be able to exploit the flaw because credentials for an Exchange server email account are needed.
Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password.
Several mitigations are offered by the security company. Firstly, users should obviously update to the patch Microsoft issued a month ago. However, Volexity also says admins need to start expiring passwords and demanding users update their passwords regularly.