Exchange Server Bug Exposes a Big Risk to Hackers

  • By Dawna M. Roberts
  • Published: Oct 02, 2020
  • Last Updated: Mar 18, 2022

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of them are still vulnerable. 

A Hacker’s Dream

Unnamed government-backed hackers have been using the Exchange server bug (CVE-2020-0688) to execute code using open-source malware and exploit the email store. Microsoft released a patch in February and issued a warning to Exchange server clients. By April, security experts noted that at least 350,000 Exchange servers were still vulnerable and had not been patched. 

The Technical Details

The Exchange server flaw is related to the fact that all Exchange server versions over the past ten years use the same cryptographic keys controlling the backend panel. Using malware, cybercriminals can take full control of the system and access anything they want.

For the better part of this year, Microsoft products have been under siege by various hacker groups targeting a vulnerability in Microsoft’s Internet Information Service (IIS) and more recently this Exchange server issue. 

Hardik Suri, a member of the Microsoft Defender ATP Research Team, reported that, “In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web-accessible paths on the server.” The scenario is similar to what is going on in Australia with multiple attacks against business servers within their country.

Suri went on to say, “The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.” Threat actors use various open-source malware and programs like Mimikatz and MemoryModule to inject code and execute system functions.

Almost with a hint of awe and admiration, Suri notes that “The binary used the open-source MemoryModule library to load the binary using   reflective DLL injection . Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.”

He also warned that these intrusions gave hackers “unrestricted access to any users or group in the organization.” 

Hackers also targeted Microsoft Defender Antivirus and disabled archive scanning to steal .pst files using tools like rar.exe. 

What Microsoft Has to Say About It

Microsoft strongly urges all Microsoft Exchange server customers to apply the patch immediately. Additionally, Suri recommends that they enable multi-factor authentication on all Windows 10 machines.

Microsoft security experts implore Exchange server techs to do some research to determine if anyone has exploited their exchange server by looking for artifacts left by hackers in the Windows Event Log and IIS logs. Suri warns that “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate.”

He additionally recommended that companies review their high-level groups like Administrators, Remote Desktop Users, and Enterprise Admins. Additional tips for security experts include practicing the “least-privilege principle” and creating alerts for any suspicious activity on Exchange servers. Installing and configuring Microsoft Defender ATP was also mentioned for behavioral monitoring of IIS and Exchange. 

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unk ... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

Snapchat Scams and How to Avoid Them

Snapchat Scams and How to Avoid Them

Snapchat is a mobile-based social media platform owned by Snap Inc. ; it is a global platform, hosting over 734.8 million users, the majority of which are Gen Z. The platform began as a resource for sharing pictures between friends but has evolved to include options for creator content, group conversations, and the sharing of media.

How to Recognize and Avoid Publishers Clearing House Scams

How to Recognize and Avoid Publishers Clearing House Scams

The Publishers Clearing House (PCH) appeared in 1967, promoting magazine subscriptions, merchandise, time-share vacations, and their famous cash prize sweepstakes.

What is a Time Theft and How to Prevent It

What is a Time Theft and How to Prevent It

Time theft happens when employees dishonestly use their paid work hours for personal activities or tasks unrelated to work. Time fraud significantly impacts an organization's productivity, business strategy, finances, and employee morale.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address