A post-auth remote code execution vulnerability affecting all supported versions of Microsoft Exchange Server is now being exploited in the wild by multiple advanced persistent threat (APT) groups.
The vulnerability, tracked as CVE-2020-0688, is present in the Exchange Control Panel (ECP) component of Microsoft Exchange Server and is the result of the failure to create unique cryptographic keys during installation. That means that all Microsoft Exchange Servers use the same cryptographic keys for the backend of their control panels.
Once authenticated, an attacker could exploit the flaw and take full control of the server by sending malformed requests to the Exchange Server containing malicious serialized data. Since the cryptographic keys are known by attacker, the serialized data is unserialized, which allows malicious code to run on the backend of the Exchange Server with SYSTEM privileges.
The vulnerability was patched by Microsoft on February Patch Tuesday. Microsoft warned that the flaw would likely be used in real world attacks, but many enterprises have still not applied the patch. There are no mitigations available to prevent exploitation. The only solution is to apply the patch on all vulnerable servers. Even if 2-factor authentication is implemented it would not provide protection against exploitation. That means that previously compromised credentials, that were essentially useless as 2-FA had been enabled, could now be used in combination with the CVE-2020-0688 exploit.
According to researchers at Volexity, it didn’t take long for state-sponsored APT groups to start exploiting the flaw. Several organizations were attacked in late February and had their networks compromised.
Since this is a post-auth vulnerability, credentials are required to exploit the flaw. Volexity observed a major increase in brute force attacks on Exchange Web Services (EWS) in late February, which it has been assumed was to obtain credentials to allow exploitation of the CVE-2020-0688 flaw. BleepingComputer has previously reported that scans for vulnerable Microsoft Exchange Servers started on February 25 and several proof-of-concept exploits for the CVE-2020-0688 have been published on GitHub.
If the credentials of any enterprise user are obtained, a remote attacker could login and exploit the flaw and gain full control of a vulnerable Microsoft Exchange Server. This would allow an attacker to obtain sensitive email communications, conduct business email compromise attacks, and falsify business emails.
A spokesperson for the U.S. Department of Defense confirmed that all the major APT groups are now actively exploiting the flaw. The National Security Agency (NSA) has sent a tweet this week reminding its followers to ensure the patch is applied as soon as possible to prevent exploitation.