NSA Warns Admins About Microsoft Exchange Flaws

NSA Warns Admins About Microsoft Exchange Flaws

Microsoft Exchange Server Flaws

NSA Warns Admins About Microsoft Exchange Flaws! The U.S. National Security Agency (NSA) warned about a flaw dealing with post-auth remote execution of code on all licensed Microsoft Exchange Servers through a tweet published on a Twitter account of the agency.

NSA’s tweet reminded followers to patch the vulnerability of CVE-2020-0688 which would allow potential attackers to use email credentials to execute commands on vulnerable Microsoft Exchange Servers.

As part of the February 2020 patch Tuesday, Microsoft fixed this RCE security flaw and tagged it with an “Exploitation More Likely” exploitability index hint at CVE-2020-0688 as an attractive target for attackers.

People are taking advantage of Microsoft Exchange Server Flaws

On the same day, security firm researchers at Volexity reported that exploitation of this security flaw began in late February, with several companies already having compromised their networks after state-backed advanced persistent threats (APT) groups took advantage of the CVE-2020-0688 flaw.

“Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability,” their report says.

“Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach.”

Volexity Microsoft Exchange Tweet
Source : BleepingComputer

A U.S. Department of Defense (‎DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn’t name the groups or the countries behind them.

After his report, a new module targeting this flaw was added by Rapid7 to the Metasploit pen-testing tool following multiple proof-of-concept exploits having surfaced on GitHub.

NSA Warns Admins About Microsoft Exchange Flaws! Sigma rules for SIEM systems provided by Nextron Systems’s Florian Roth are available for detecting exploitation attempts against unpatched Exchange servers. – Source Bleeping Computer

Microsoft Exchange Server RCE vulnerability

As Zuckerbraun explained, “any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server.”

“Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will,” he added. “Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete.”

The actively exploited vulnerability has been found in the component of the Exchange Control Panel (ECP), and is caused by the failure of Exchange to create unique cryptographic keys when installed.

It enables authenticated attackers to execute code remotely with Device privileges after being successfully exploited, and completely compromising the exploited server.

The security update descriptions for vulnerable Microsoft Exchange Server versions are available in the screenshot below

Microsoft Exchange Security Updates

Check out our SERVICES page to see how we can help make sure you are protected!
Posted on