Several groups of nation states hack Microsoft Exchange servers

Several groups of nation states hack Microsoft Exchange servers

A number of government-supported hacking groups exploit a recent patch vulnerability in Microsoft Exchange email servers.

The exploits were first detected by British cybersecurity company Volexity on Friday and confirmed to ZDNet today by a DOD source.

Volexity did not share the names of the hacking groups that exploit this Exchange vulnerability. Volexity did not return a comment request for additional details.

The DOD source described the hacking groups as “all great players”, who also denied naming groups or countries.

Microsoft Exchange vulnerability

These state-sponsored hacking groups exploit a vulnerability in the Microsoft Exchange email servers that Microsoft hacked last month, on the Patch Tuesday in February 2020.

The vulnerability is traced under the ID of CVE-2020-0688. The following is a summary of the technical details of the vulnerability:

  • During installation, Microsoft Exchange servers do not create a unique cryptographic key for the Exchange Control Panel.
  • This means that all Microsoft Exchange email servers launched over the past ten years use the same cryptographic keys (validationKey and decryptionKey) for control panel support.
  • Attackers can submit malicious requests to the Exchange Control Panel that contain malicious serialized data.
  • Since hackers know the encryption keys in the control panel, they can make sure that serialized data is not serialized, which generates malicious code that runs on the backend of the Exchange server.
  • The malicious code is executed with system privileges, giving the attackers full control of the server.

Microsoft released patches for this error on February 11, when it also warned sysadmins to install solutions as soon as possible, foreseeing future attacks.

Nothing happened for almost two weeks. However, things got even closer to the end of the month when the Zero-Day Initiative, which reported the bug to Microsoft, released a technical report detailing the error and how it worked.

The report served as a roadmap for security researchers, who used the information contained in the design concept holdings to test their own servers and create detection rules and mitigation.

At least three of these proof-of-concept concepts found their way to GitHub (1, 2, 3). A Metasploit module was soon followed.

As in many other cases before, when the technical details and proof-of-concept code were made public, hackers also began to pay attention.

On February 26, a day after the Zero-Day Initiative was broadcast live, hackers began scanning the Internet for Exchange servers, collecting lists of vulnerable servers that they could target at a later date. The first such scans were detected by the intelligence company Bad Packets.

CVE-2020-0688 started mass scanning activity. Please refer to our API for “tags = CVE-2020-0688” to locate hosts performing scans. #threatintel

– Wrong Package Report (@bad_packets) February 25, 2020

Now, according to Volexity, Exchange server scans have become real attacks.

The first to address this error were APTs – “advanced persistent threats”, a term often used to describe state-sponsored pirate groups.

However, other groups are also expected to follow suit. Security researchers whom ZDNet spoke with earlier said they anticipate the bug to become very popular with ransomware bands that regularly run enterprise networks.

Harmonize older and useless phishing credentials

This Exchange vulnerability, however, is not easy to exploit. Security experts do not see this bug being abused by kiddies (a term used to describe low-level hackers).

To exploit CVE-2020-0688 Exchange Error, hackers need the credentials for an email account on the Exchange server, which script scripts usually do not have.

CVE-2020-0688 Security Default is an error called post-authentication. The hackers must first log in and then execute the malicious payload hijacked by the victim’s email server.

But while that limitation will keep the script kiddies out, APTs and ransomware bands do not apply, experts said.

APTs and ransomware bands often spend most of their time launching phishing campaigns, after they get email credentials for their employees.

If an organization applies 2-Factor Authentication (2FA) for email accounts, then those credentials are essentially useless, as 2FA can not be hacked by hackers.

Error CVE-2020-0688 allows APTs to finally find a purpose for those older 2FA-protected accounts that had spit months or years earlier.

They can use any of these older credentials as part of the CVE-2020-0688 operation without the need to bypass 2FA, but still take over the victim’s Exchange server.

Good point about this: Sometimes an APT will get some valid passwords for user accounts in a target organism, but will not be able to use them immediately because of 2FA. However, you can add the credits and patiently wait for new opportunities to emerge.

– Brian at Pittsburgh (@arekfurt) March 7, 2020

Organizations with “APT” or “ransomware” in their threat array are encouraged to upgrade their Exchange email servers with the February 2020 security updates as soon as possible.

All Microsoft Exchange servers are considered vulnerable, even life-threatening (EoL) versions. For EoL versions, organizations should look for the upgrade to a newer Exchange version. If updating the Exchange server is not an option, companies are encouraged to reset a password for all Exchange accounts.

Grabbing email servers is the Holy Grail of APT attacks, as this allows nation-state groups to intercept and read a company’s email communications.

Historically, APTs have previously served with Exchange servers. Previous APTs that have hacked Exchange include Turla (a Russia-linked group) and APT33 (an Iranian group).

This post on the TrustedSec blog contains instructions on how to detect if an Exchange server has already been hacked by this error.


  • No Related Posts