Threat actors scan Internet for Vulnerable Microsoft Exchange Servers

Experts warn that hackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable in the attempt to exploit the CVE-2020-0688 RCE.

Hackers are actively scanning the Internet for Microsoft Exchange Servers affected by the CVE-2020-0688 remote code execution flaw.

The vulnerability resides in the Exchange Control Panel (ECP) component, the root cause of the problem is that Exchange servers fail to properly create unique keys at install time.

“Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.” reads the advisory published by Microsoft.

A remote, authenticated attacker could exploit the CVE-2020-0688 vulnerability to execute arbitrary code with SYSTEM privileges on a server and take full control.

Security experts Simon Zuckerbraun from Zero Day Initiative published technical details on how to exploit the Microsoft Exchange CVE-2020-0688 along with a video PoC.

“Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.” wrote Zuckerbraun. “Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete. Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release.”

Now the popular security researcher Kevin Beaumont reported mass scanning for the CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability).

Attackers, in order to exploit the issue, have to find a vulnerable server exposed online, search for email addresses they collect from the Outlook Web Access (OWA) portal URL, and use data from previous data breaches to launch a credential stuffing attack.

“Next, they only have to launch a credential stuffing attack and keep at it until they get a hit and are able to login to the server. Once in, all that’s left is to exploit the CVE-2020-0688 vulnerability and fully compromise the targeted Exchange server.” reported BleepingComputer.

Beaumont explained that the process could be automated by using open tools available online, and these tools are currently actively used by threat actors in the wild.

Experts urge administrators to patch their servers before attackers could reach them and exploit the CVE-2020-0688 flaw.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Microsoft Exchange, CVE-2020-0688)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.