Exchange Server Bug Exposes a Big Risk to Hackers

  • By Dawna M. Roberts
  • Oct 02, 2020

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of them are still vulnerable. 

A Hacker’s Dream

Unnamed government-backed hackers have been using the Exchange server bug (CVE-2020-0688) to execute code using open-source malware and exploit the email store. Microsoft released a patch in February and issued a warning to Exchange server clients. By April, security experts noted that at least 350,000 Exchange servers were still vulnerable and had not been patched. 

The Technical Details

The Exchange server flaw is related to the fact that all Exchange server versions over the past ten years use the same cryptographic keys controlling the backend panel. Using malware, cybercriminals can take full control of the system and access anything they want.

For the better part of this year, Microsoft products have been under siege by various hacker groups targeting a vulnerability in Microsoft’s Internet Information Service (IIS) and more recently this Exchange server issue. 

Hardik Suri, a member of the Microsoft Defender ATP Research Team, reported that, “In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web-accessible paths on the server.” The scenario is similar to what is going on in Australia with multiple attacks against business servers within their country.

Suri went on to say, “The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.” Threat actors use various open-source malware and programs like Mimikatz and MemoryModule to inject code and execute system functions.

Almost with a hint of awe and admiration, Suri notes that “The binary used the open-source MemoryModule library to load the binary using   reflective DLL injection . Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.”

He also warned that these intrusions gave hackers “unrestricted access to any users or group in the organization.” 

Hackers also targeted Microsoft Defender Antivirus and disabled archive scanning to steal .pst files using tools like rar.exe. 

What Microsoft Has to Say About It

Microsoft strongly urges all Microsoft Exchange server customers to apply the patch immediately. Additionally, Suri recommends that they enable multi-factor authentication on all Windows 10 machines.

Microsoft security experts implore Exchange server techs to do some research to determine if anyone has exploited their exchange server by looking for artifacts left by hackers in the Windows Event Log and IIS logs. Suri warns that “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate.”

He additionally recommended that companies review their high-level groups like Administrators, Remote Desktop Users, and Enterprise Admins. Additional tips for security experts include practicing the “least-privilege principle” and creating alerts for any suspicious activity on Exchange servers. Installing and configuring Microsoft Defender ATP was also mentioned for behavioral monitoring of IIS and Exchange. 

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unk ... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is PPP Loan Fraud?

What is PPP Loan Fraud?

When the pandemic hit in 2020, our world became chaotic overnight. Throughout the nation, individuals were met with layoffs or stringent checks—pushing the financials of families to their breaking points.

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Cementitious Vendor—CGM—Network Compromised by 315k Data Breach

Based in Philadelphia, Pennsylvania, CGM is a nationwide cementitious vendor for industries and construction projects. They are a leader in manufacturing, labeling, and distributing custom cement and patching products.

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Chattanooga Heart Institute Updates on 2023 Network Cyber Attack

Patients with cardiovascular issues may appear in one of the Chattanooga Heart Institute (CHI) facilities in Tennessee and Georgia.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close