Exchange Server Bug Exposes a Big Risk to Hackers

Posted on by Dawna M. Roberts in News October 02, 2020
https://content.infopay.net/storage/thumbnails/ivhqMpMlURYGCECw44mNCKGA3gOVCvgXfOxwHQ0H.jpg

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of them are still vulnerable. 

A Hacker’s Dream

Unnamed government-backed hackers have been using the Exchange server bug (CVE-2020-0688) to execute code using open-source malware and exploit the email store. Microsoft released a patch in February and issued a warning to Exchange server clients. By April, security experts noted that at least 350,000 Exchange servers were still vulnerable and had not been patched. 

The Technical Details

The Exchange server flaw is related to the fact that all Exchange server versions over the past ten years use the same cryptographic keys controlling the backend panel. Using malware, cybercriminals can take full control of the system and access anything they want.

For the better part of this year, Microsoft products have been under siege by various hacker groups targeting a vulnerability in Microsoft’s Internet Information Service (IIS) and more recently this Exchange server issue. 

Hardik Suri, a member of the Microsoft Defender ATP Research Team, reported that, “In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web-accessible paths on the server.” The scenario is similar to what is going on in Australia with multiple attacks against business servers within their country.

Suri went on to say, “The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.” Threat actors use various open-source malware and programs like Mimikatz and MemoryModule to inject code and execute system functions.

Almost with a hint of awe and admiration, Suri notes that “The binary used the open-source MemoryModule library to load the binary using   reflective DLL injection . Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.”

He also warned that these intrusions gave hackers “unrestricted access to any users or group in the organization.” 

Hackers also targeted Microsoft Defender Antivirus and disabled archive scanning to steal .pst files using tools like rar.exe. 

What Microsoft Has to Say About It

Microsoft strongly urges all Microsoft Exchange server customers to apply the patch immediately. Additionally, Suri recommends that they enable multi-factor authentication on all Windows 10 machines.

Microsoft security experts implore Exchange server techs to do some research to determine if anyone has exploited their exchange server by looking for artifacts left by hackers in the Windows Event Log and IIS logs. Suri warns that “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate.”

He additionally recommended that companies review their high-level groups like Administrators, Remote Desktop Users, and Enterprise Admins. Additional tips for security experts include practicing the “least-privilege principle” and creating alerts for any suspicious activity on Exchange servers. Installing and configuring Microsoft Defender ATP was also mentioned for behavioral monitoring of IIS and Exchange. 

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unknown cybe... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

FREE IDENTITY THREAT SCAN
Scan Your Records for Breaches, Leaks & Exposures!