UK-based cybersecurity firm Volexity first spotted the vulnerability being exploited in the wild but the firm did not name any of the hacking groups involved.
The vulnerability, tracked under the identifier CVE-2020-0688, was patched by Microsoft last month. If exploited though, the remote code execution vulnerability could be used to read all of an organization's emails as it gives attackers full control of a Microsoft Exchange email server.
- Microsoft products were targeted the most by hackers last year
- Nation-state hackers increasingly target organizations
- Microsoft will bring its antivirus software to iOS and Android
While Microsoft has already patched the vulnerability, a technical report from the Zero-Day Initiative, who first reported the bug to the company, provided extensive details on the bug and how it works. This report served as a roadmap for security researchers who used the information it contained to create proof-of-concept exploits to prepare their own servers for possible attacks.
Following the release of Zero-Day Initiative's report, hacker groups began to scan the internet for vulnerable Exchange servers which they could launch attacks against in the future.
Weaponizing the vulnerability
In a new blog post, Volexity revealed that cybercriminals' scans for vulnerable Exchange servers have turned into actual attacks, saying:
“Volexity has observed multiple APT actors exploiting or attempting to exploit on-premise Exchange servers. In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password. This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account.”
Thankfully though, the vulnerability in Exchange is not easy to exploit and to do so, hackers need to have the credentials for an email account on the server they're trying to attack. This means that less advanced hackers will be unable to do so while nation-state hackers have the resources to exploit the vulnerability.
All Microsoft Exchange servers are considered vulnerable to these attacks including versions that have reached their end-of-life (EoL). Organizations should apply the latest patch as soon as possible and if they're running an EoL version, they should consider updating to a newer Exchange version.
- We've also highlighted the best email clients
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.