Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of them are still vulnerable.
A Hacker’s Dream
Unnamed government-backed hackers have been using the Exchange server bug (CVE-2020-0688) to execute code using open-source malware and exploit the email store. Microsoft released a patch in February and issued a warning to Exchange server clients. By April, security experts noted that at least 350,000 Exchange servers were still vulnerable and had not been patched.
The Technical Details
The Exchange server flaw is related to the fact that all Exchange server versions over the past ten years use the same cryptographic keys controlling the backend panel. Using malware, cybercriminals can take full control of the system and access anything they want.
For the better part of this year, Microsoft products have been under siege by various hacker groups targeting a vulnerability in Microsoft’s Internet Information Service (IIS) and more recently this Exchange server issue.
Hardik Suri, a member of the Microsoft Defender ATP Research Team, reported that, “In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web-accessible paths on the server.” The scenario is similar to what is going on in Australia with multiple attacks against business servers within their country.
Suri went on to say, “The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.” Threat actors use various open-source malware and programs like Mimikatz and MemoryModule to inject code and execute system functions.
Almost with a hint of awe and admiration, Suri notes that “The binary used the open-source MemoryModule library to load the binary using reflective DLL injection . Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.”
He also warned that these intrusions gave hackers “unrestricted access to any users or group in the organization.”
Hackers also targeted Microsoft Defender Antivirus and disabled archive scanning to steal .pst files using tools like rar.exe.
What Microsoft Has to Say About It
Microsoft strongly urges all Microsoft Exchange server customers to apply the patch immediately. Additionally, Suri recommends that they enable multi-factor authentication on all Windows 10 machines.
Microsoft security experts implore Exchange server techs to do some research to determine if anyone has exploited their exchange server by looking for artifacts left by hackers in the Windows Event Log and IIS logs. Suri warns that “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate.”
He additionally recommended that companies review their high-level groups like Administrators, Remote Desktop Users, and Enterprise Admins. Additional tips for security experts include practicing the “least-privilege principle” and creating alerts for any suspicious activity on Exchange servers. Installing and configuring Microsoft Defender ATP was also mentioned for behavioral monitoring of IIS and Exchange.