Several groups of nation states hack Microsoft Exchange servers

Several groups of nation states hack Microsoft Exchange servers

A number of government-supported hacking groups exploit a recent patch vulnerability in Microsoft Exchange email servers.

The exploits were first detected by British cybersecurity company Volexity on Friday and confirmed to ZDNet today by a DOD source.

Volexity did not share the names of the hacking groups that exploit this Exchange vulnerability. Volexity did not return a comment request for additional details.

The DOD source described the hacking groups as “all great players”, who also denied naming groups or countries.

Microsoft Exchange vulnerability

These state-sponsored hacking groups exploit a vulnerability in the Microsoft Exchange email servers that Microsoft hacked last month, on the Patch Tuesday in February 2020.

The vulnerability is traced under the ID of CVE-2020-0688. The following is a summary of the technical details of the vulnerability:

  • During installation, Microsoft Exchange servers do not create a unique cryptographic key for the Exchange Control Panel.
  • This means that all Microsoft Exchange email servers launched over the past ten years use the same cryptographic keys (validationKey and decryptionKey) for control panel support.
  • Attackers can submit malicious requests to the Exchange Control Panel that contain malicious serialized data.
  • Since hackers know the encryption keys in the control panel, they can make sure that serialized data is not serialized, which generates malicious code that runs on the backend of the Exchange server.
  • The malicious code is executed with system privileges, giving the attackers full control of the server.

Microsoft released patches for this error on February 11, when it also warned sysadmins to install solutions as soon as possible, foreseeing future attacks.

Nothing happened for almost two weeks. However, things got even closer to the end of the month when the Zero-Day Initiative, which reported the bug to Microsoft, released a technical report detailing the error and how it worked.

The report served as a roadmap for security researchers, who used the information contained in the design concept holdings to test their own servers and create detection rules and mitigation.

At least three of these proof-of-concept concepts found their way to GitHub (1, 2, 3). A Metasploit module was soon followed.

As in many other cases before, when the technical details and proof-of-concept code were made public, hackers also began to pay attention.

On February 26, a day after the Zero-Day Initiative was broadcast live, hackers began scanning the Internet for Exchange servers, collecting lists of vulnerable servers that they could target at a later date. The first such scans were detected by the intelligence company Bad Packets.

CVE-2020-0688 started mass scanning activity. Please refer to our API for “tags = CVE-2020-0688” to locate hosts performing scans. #threatintel

– Wrong Package Report (@bad_packets) February 25, 2020

Now, according to Volexity, Exchange server scans have become real attacks.

The first to address this error were APTs – “advanced persistent threats”, a term often used to describe state-sponsored pirate groups.

However, other groups are also expected to follow suit. Security researchers whom ZDNet spoke with earlier said they anticipate the bug to become very popular with ransomware bands that regularly run enterprise networks.

Harmonize older and useless phishing credentials

This Exchange vulnerability, however, is not easy to exploit. Security experts do not see this bug being abused by kiddies (a term used to describe low-level hackers).

To exploit CVE-2020-0688 Exchange Error, hackers need the credentials for an email account on the Exchange server, which script scripts usually do not have.

CVE-2020-0688 Security Default is an error called post-authentication. The hackers must first log in and then execute the malicious payload hijacked by the victim’s email server.

But while that limitation will keep the script kiddies out, APTs and ransomware bands do not apply, experts said.

APTs and ransomware bands often spend most of their time launching phishing campaigns, after they get email credentials for their employees.

If an organization applies 2-Factor Authentication (2FA) for email accounts, then those credentials are essentially useless, as 2FA can not be hacked by hackers.

Error CVE-2020-0688 allows APTs to finally find a purpose for those older 2FA-protected accounts that had spit months or years earlier.

They can use any of these older credentials as part of the CVE-2020-0688 operation without the need to bypass 2FA, but still take over the victim’s Exchange server.

Good point about this: Sometimes an APT will get some valid passwords for user accounts in a target organism, but will not be able to use them immediately because of 2FA. However, you can add the credits and patiently wait for new opportunities to emerge.

– Brian at Pittsburgh (@arekfurt) March 7, 2020

Organizations with “APT” or “ransomware” in their threat array are encouraged to upgrade their Exchange email servers with the February 2020 security updates as soon as possible.

All Microsoft Exchange servers are considered vulnerable, even life-threatening (EoL) versions. For EoL versions, organizations should look for the upgrade to a newer Exchange version. If updating the Exchange server is not an option, companies are encouraged to reset a password for all Exchange accounts.

Grabbing email servers is the Holy Grail of APT attacks, as this allows nation-state groups to intercept and read a company’s email communications.

Historically, APTs have previously served with Exchange servers. Previous APTs that have hacked Exchange include Turla (a Russia-linked group) and APT33 (an Iranian group).

This post on the TrustedSec blog contains instructions on how to detect if an Exchange server has already been hacked by this error.


  • No Related Posts

Top 6 Ways to Fix Cannot Expand Folder Error in Outlook

5. Create a New Outlook Profile

It is recommended that you follow point 4 above before moving on to create a new profile. Rename the folder that you can’t expand in Outlook. Right-click on the folder and select the Rename option to do so. Take a backup, if you must. If you have taken a backup on the server or in the cloud, delete the profile the below mentioned:


Of course, the Username above and the drive letter should be your corresponding user name and Windows installation drive. Reboot your computer.

Open Outlook and under the Files menu, click on Account Settings > Manage Profiles.

Click on Show Profiles.

Click on Add to begin creating a new profile.

You can now add email accounts to this newly created profile and check if you still get the Cannot expand folder error.

6. Repair PST and OST File

The Outlook email account data is stored in a .PST file if you are using IMAP or POP account. The same is stored in a .OST file if you are using Office 365 or Exchange account. Depending on the email account throwing the Cannot expand folder error in Outlook app, choose one method.

Repair OST File

Open Control Panel and go to User Account > Mail > Show Profiles. Select the profile you are having trouble with and click on Properties below. Now select Data Files in the pop-up that follows.

Select the email account data file and click on Open File Location.

A new window will open with a file name with .OST extension. Delete the file and reboot your computer. Launch Outlook and it will recreate the file automatically.

Repair PST File

The same steps won’t work for .PST file. Press Windows key+R to open the Run prompt. Enter the below file path in case of Office 2016, Office 2019, and Office 365.

C:Program Files (x86)Microsoft OfficerootOffice16

For Outlook 2013:

C:Program Files (x86)Microsoft OfficeOffice15

Double-click the SCANPST.EXE file, which will launch the Microsoft Outlook Inbox Repair experience. I wish there was a direct way of launching it.

Click on Browse on the pop-up that follows.

A new File Explorer window will open. You need to locate the .PST file here and when you find it, click on the Start button.

Select ‘Make a backup of scanned file before repairing’ option to create a backup in case something goes wrong.

Now click on Repair to begin the process.

Look Out

There are way too many versions of Outlook that Microsoft has released over the years. That makes troubleshooting a bit more difficult. However, we try our best to offer the best workable solutions. If you have found another way to solve the Cannot open folder error in the Outlook app, let us know in the comments below.

Next up:Using Microsoft Outlook on your smartphone? Here are 9 cool Outlook tips and tricks for Android and iOS.

Last updated on 29 Feb, 2020
Read NextTop 9 Outlook Email Tips and Tricks for iOS and AndroidAlso See#email #Microsoft

Did You Know

The term spam pre-dates e-mail.

More in Windows

How to Get Apple Reminders on Windows

Top 9 Google Sheets Budget Templates for Finance Tracking

Join the newsletter

Get Guiding Tech articles delivered to your inbox.

Share on


Join the newsletter

SubscribeView Comments

Written By

Gaurav Bidasaria

Gaurav is a tech enthusiast who loves talking about new gadgets and innovations. He dropped out of CA because he found the work life boring and monotonous! He recently started working out but mostly, you will find him on the couch either Netflix-ing or gaming.

  • #Android
  • #Windows#Internet#iOS#Gadgets#Mac#Buying Guides

  • #How-tos
  • #Comparisons#Tips & Tricks

  • Facebook
  • Facebook (Hindi)InstagramInstagram (Hindi)YouTubeYouTube (Hindi)TwitterTwitter (Hindi)

  • Guiding Tech

    AboutContactTerms of UsePrivacy Policy


    © 2020 Guiding Media Pvt Ltd. All Rights Reserved.

  • Related:

    • No Related Posts

    Israeli Exchange, BTP Team up on Blockchain Securities Platform

    Email was send successfully!

    Please check your inbox for

    our authentication email.

    Sign up to Finance Magnates
    I already have an account

    *required fields

    Sign me up for Finance Magnates’ News Updates
    I want to know about Finance Magnates’ Events
    By signing up I agree to Finance Magnates’ Terms, Cookies and Privacy Notice

    Thank you for registering

    to Finance Magnates.

    Please open the email we

    sent you and click on the

    link to verify your account.



    All NewsRetail FX
    AnalysisBrokersProductsRegulationTechnologyBloggersInstitutional FX
    ExchangesExecutionPrime BrokerageRegulationTechnologyBloggersExecutives
    Expert InsightsExecutive MovesInterviewsExpert ListCryptoCurrency
    NewsExchangesCoinsICOsRegulationEducation CenterFinTech


    • No Related Posts

    How to Use RightSignature on Android

    Click the hamburger icon in the upper left hand corner to be taken to the menu.

    User-added image


    The Documents tab displays all documents the user is a party to. Click on a specific document to display more details.

    User-added image


    All Templates in the account will be listed under this tab, with the most recently created one at the top.

    User-added image

    If there are Merge Fields, you will be prompted to enter merge data into the document before sending.


    This tab lists your name and email address, the account you are logged into, and gives the option to Sign Out. The web app will need to be accessed in order to change any account information.

    User-added image

    Contact Support will send an email request to using the phone’s default email.


    • No Related Posts