Microsoft has given an additional notification to all Exchange users to apply the patch to vulnerability CVE-2020-0688, a critical Microsoft Exchange memory corruption.
Microsoft provided an update to fix the vulnerability last February 2020 and issued a warning in March when APT groups began exploiting the vulnerability. However, though there was active exploitation of the vulnerability in the wild, users are slow in applying the patch. Presently, Microsoft has noticed a spike in attacks on vulnerable Exchange servers, therefore, giving the advice to all Exchange customers to make sure to patch the vulnerability immediately.
High priority must be given to any vulnerability in the Microsoft Exchange. Attackers that exploit an Exchange vulnerability can access the email system, which usually holds a big volume of highly sensitive data, particularly protected health information (PHI) in healthcare. Just like with this vulnerability, it is possible for attackers to access highly privileged accounts. They could compromise the whole email system as well as get administrative privileges to the server and assume command of the network.
According to Microsoft, Exchange servers customarily didn’t have enough network protection, antivirus solutions, newest security updates, and appropriate security settings, usually deliberately, because of the misguided idea that these protections get in the way of normal Exchange performance. Attackers leverage this information to get a steady foothold on an organization they target.
Microsoft mentioned that attackers like CVE-2020-0688 vulnerability. There is no need for phishing and social engineering strategies to get access to an administrator’s account. It is easy to directly attack the server.
A review of attacks done in April reveals that APT groups are implementing web shells, conducting exploratory commands to do reconnaissance, and utilizes EternalBlue to find other devices to attack on the network. In the case of server misconfiguration, attackers can get top-level privileges and access the server even without remote access tools.
The attacker becomes a domain admin with the creation of a new account. He gets unrestricted access to the organization’s group and users, including the credentials of its most sensitive users and groups.
Attackers are taking advantage of the vulnerability and obtaining a steady foothold in the network of the targeted organization. They tinker with security solutions, acquire lateral movement, set up remote access circumventing security limitations, and have exfiltrated information, which includes existing mailboxes. The inability to patch to fix the vulnerability could lead to a substantial and pricey data breach.
Besides the patch application, Microsoft advises remediating other vulnerabilities found in Exchange servers promptly by installing antivirus programs on Exchange servers, updating the software, and activating tamper protection functions to stop attackers from deactivating security solutions.
Organizations must follow the principle of least-privilege, maintain credential hygiene, and conduct reviews to determine any highly privileged groups added. Security teams must also respond quickly to notifications concerning suspicious activities found on Exchange servers.