Security professionals warn that attackers are already scanning the network for Microsoft Exchange servers that are vulnerable to CVE-2020-0688, which Microsoft developers fixed two weeks ago.
Let me remind you that the problem is connected with the operation of the Exchange Control Panel (ECP) component and with the inability of Exchange to create unique cryptographic keys during installation. The bug allows authenticated attackers to remotely execute arbitrary code with SYSTEM privileges and completely compromise the vulnerable server.
Demonstration of the problem of using static cryptographic keys on an unpatched server already published Zero Day Initiative specialists (see video below). Researchers warn that any remote attacker who compromises the device or credentials of an employee of the company will be able to go to the Exchange server and will be able to read and fake corporate mail.
Well-known information security experts Kevin Beaumont and Troy Mursch from Bad Packets are already warning about mass scanning of the network in search of vulnerable servers:
That was quick, since 2 hours ago seeing likely mass scanning for CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability). pic.twitter.com/Kp3zOi5AOA
– Kevin Beaumont (@GossiTheDog) February 25, 2020
CVE-2020-0688 mass scanning activity has begun. Query our API for "tags = CVE-2020-0688" to locate hosts conducting scans. #threatintel
– Bad Packets Report (@bad_packets) February 25, 2020
Experts point out that authentication on target servers is not a problem for attackers. They pass it through tools for collecting information about company employees through LinkedIn, and then using this data, combined with credential stuffing, by forgiving Outlook Web Access (OWA) and ECP.
“This vulnerability just spills credentials. You are logged in with SYSTEM privileges. Launch Mimikatz. Exchange stores user credentials in memory, in plain text format, so in the end you get all user passwords without hashing, ”- writes Beaumont.
Administrators of vulnerable servers recommend installing patches as soon as possible.