NSA Warns Admins About Microsoft Exchange Flaws! The U.S. National Security Agency (NSA) warned about a flaw dealing with post-auth remote execution of code on all licensed Microsoft Exchange Servers through a tweet published on a Twitter account of the agency.
NSA’s tweet reminded followers to patch the vulnerability of CVE-2020-0688 which would allow potential attackers to use email credentials to execute commands on vulnerable Microsoft Exchange Servers.
As part of the February 2020 patch Tuesday, Microsoft fixed this RCE security flaw and tagged it with an “Exploitation More Likely” exploitability index hint at CVE-2020-0688 as an attractive target for attackers.
People are taking advantage of Microsoft Exchange Server Flaws
On the same day, security firm researchers at Volexity reported that exploitation of this security flaw began in late February, with several companies already having compromised their networks after state-backed advanced persistent threats (APT) groups took advantage of the CVE-2020-0688 flaw.
“Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability,” their report says.
“Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach.”
A U.S. Department of Defense (DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn’t name the groups or the countries behind them.
NSA Warns Admins About Microsoft Exchange Flaws! Sigma rules for SIEM systems provided by Nextron Systems’s Florian Roth are available for detecting exploitation attempts against unpatched Exchange servers. – Source Bleeping Computer
Microsoft Exchange Server RCE vulnerability
As Zuckerbraun explained, “any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server.”
“Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will,” he added. “Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete.”
The actively exploited vulnerability has been found in the component of the Exchange Control Panel (ECP), and is caused by the failure of Exchange to create unique cryptographic keys when installed.
It enables authenticated attackers to execute code remotely with Device privileges after being successfully exploited, and completely compromising the exploited server.
The security update descriptions for vulnerable Microsoft Exchange Server versions are available in the screenshot below