Unnamed state-sponsored hacking groups are exploiting CVE-2020-0688, a vulnerability in Microsoft Exchange email servers patched by the company in February 2020 Patch Tuesday.
As part of the Patch Tuesday routine, Microsoft released cumulative updates and a service pack addressing this remote code execution bug located in Microsoft Exchange 2010, 2013, 2016, and 2019.
It is noteworthy to mention that the bug was discovered by an anonymous researcher, and was reported to Microsoft via Trend Micro’s Zero Day initiative. Two weeks later, Zero Day published more information about the vulnerability, also clarifying that an attacker could exploit CVE-2020-0688 under certain conditions. Zero Day’s report was meant to help security researchers test their servers to create detection rules and prepare mitigation techniques. However, some of the created proof-of-concept were shared on GitHub, followed by a Metasploit module. It didn’t take long for threat actors to leverage the abundance of technical details.
The first to report about the state-sponsored hacking groups was Volexity, a UK cybersecurity firm. However, the firm didn’t share any specifics and hasn’t said where the attacks originate from. However, it is known that these hacking groups include “all the big players”, says ZDNet.
More about CVE-2020-0688
According to Microsoft, “a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”
To explain further, it seems that Microsoft Exchange servers are failing to create a unique cryptographic key for the Exchange control panel during installation. This also means that all Microsoft Exchange email servers released in the last decade use identical cryptographic keys for the control panel’s backend.
So, how can attackers exploit the vulnerability? By sending malformed requests to the Exchange control panel which contain malicious serialized data. By knowing the control panel’s encryption keys, they can make the serialized data unserialized, resulting in malicious code running on the server’s backend.
If you want to make sure that your Exchange server hasn’t been hacked, you can use this TrustedSec tutorial.