Posted on March 9, 2020 at 4:54 PM
Volexity, a UK cyber-security company spotted exploitation on Microsoft exchange servers on Friday and claimed multiple nation-state groups are responsible.
However, Volexity didn’t comment further on the nature of the attack nor share the names of those attacking syndicates responsible.
The cybersecurity company described the attackers as “all the big players,” but declined to mention countries or the groups involved.
Vulnerability in Microsoft exchange servers
The vulnerable servers the hackers are exploiting were patched by Microsoft last month. The breach is identified as CVE-2020-0688, with technical details.
Microsoft Exchange servers were unable to generate a distinctive cryptographic key for the exchange control panel during installation.
It means that Microsoft uses identical cryptographic keys (decrypionKey and validationKey) for all its exchange servers for the past 10 years. As a result, hackers can take advantage of and deliver a malformed request to the exchange control panel, which contains malicious serialized data.
As the hackers are familiar with the encryption keys for the control panel, they can unserialize the serialized data, resulting in malicious code infiltrating the Exchange server’s backend.
However, the worst part is the fact that the SYSTEM gives the malicious code the access to have complete control of the server.
Microsoft released updates on the 11th of last month to fix the bug. While anticipating future attacks, the company asked sysadmins to install the updates as quickly as possible.
Proof-of-concept paved the way for exploit
There was no event for the next two weeks after the bug fix. However, towards the end of last month, things started escalating when the Zero-Day initiative released a technical report with details about the bug. After the release of the report, the attention of security researchers and unscrupulous hackers were drawn to the situation.
The security researchers used the information in the published details to create proof-of-concept exploits. The idea was to test their servers, provide a roadmap for detection, and prepare for mitigations.
Like other cases in the past, once the proof-of-concept and technical details of the bug became public, it drew the attention of hackers even closer to the bug.
After the Zero-Day initiative went public, the nest day some hacker groups started scanning the web for Exchange servers, making a list of susceptible servers to exploit in the future. A security firm known as Bad Packets detected the first scans of these hackers of the exchange servers.
Volexity said the attackers are not only scanning the Exchange servers but attacking them. The security outfit revealed that APTs (Advanced Persistent Threats) are the first group to turn the scanning into actual attacks. ATP is a group generally used to refer to government-sponsored cyber-threats.
But Volexity is expecting other cyber syndicates to follow suit. They are suspecting that the vulnerability would become very attractive to ransomware groups who usually target enterprise networks.
Vulnerability is not easy to exploit
The vulnerability of the Exchange server is not a simple process to exploit. The security researchers are saying that the bugs would not be compromised or exploited by unskilled hackers.
According to them, for anyone to be successful at hacking or exploiting the bug, they have to be sophisticated, which is why it’s bring targeted by state-backed hackers.
“For anyone to successfully exploit CVE-2020-0688, the hacker would need details for an email account on the server,” says Volexity. The hackers would need to successfully log into the server and hijacks the system’s email server, which is something an ordinary hacker cannot do.
The bug won’t keep sophisticated hackers out
The experts say although the limitation will prevent ordinary hackers from infiltrating the exchange server, it’s not enough to keep ransomware gangs and APTs at bay.
Ransomeware and APTs usually spend a lot of their time sending out phishing campaigns for gaining the email account details of employees in the organization.
But the email details they have would be useless if the organization uses two-factor authentication (2FA) since the hackers cannot bypass the extra security.
But with the CVE-2020-0688 bug, the APTs will now find a purpose for those phished accounts they have in their custody. They wouldn’t need to bypass the 2FA to gain access to the victim’s Exchange server.