Skip to main content

Nation-state hackers abuse flaw in Microsoft Exchange servers

(Image credit: Shutterstock)

Multiple nation-state hackers have begun exploiting a vulnerability in Microsoft Exchange email servers that was recently patched.

UK-based cybersecurity firm Volexity first spotted the vulnerability being exploited in the wild but the firm did not name any of the hacking groups involved.

The vulnerability, tracked under the identifier CVE-2020-0688, was patched by Microsoft last month. If exploited though, the remote code execution vulnerability could be used to read all of an organization's emails as it gives attackers full control of a Microsoft Exchange email server.

While Microsoft has already patched the vulnerability, a technical report from the Zero-Day Initiative, who first reported the bug to the company, provided extensive details on the bug and how it works. This report served as a roadmap for security researchers who used the information it contained to create proof-of-concept exploits to prepare their own servers for possible attacks.

Following the release of Zero-Day Initiative's report, hacker groups began to scan the internet for vulnerable Exchange servers which they could launch attacks against in the future.

Weaponizing the vulnerability

In a new blog post, Volexity revealed that cybercriminals' scans for vulnerable Exchange servers have turned into actual attacks, saying:

“Volexity has observed multiple APT actors exploiting or attempting to exploit on-premise Exchange servers. In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password. This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account.”

Thankfully though, the vulnerability in Exchange is not easy to exploit and to do so, hackers need to have the credentials for an email account on the server they're trying to attack. This means that less advanced hackers will be unable to do so while nation-state hackers have the resources to exploit the vulnerability.

All Microsoft Exchange servers are considered vulnerable to these attacks including versions that have reached their end-of-life (EoL). Organizations should apply the latest patch as soon as possible and if they're running an EoL version, they should consider updating to a newer Exchange version. 

Via ZDNet