Microsoft introduced a patch to address a critical vulnerability impacting Microsoft Exchange Servers which threat actors could potently exploit to have complete command of a vulnerable system. In spite of the warning of Microsoft that hackers would be targeting the vulnerability, users have been slow in patching.
An evaluation performed by cybersecurity company Rapid7 showed that over 82% of public-facing Exchange servers stayed vulnerable and without patching. The company’s scan found 433,464 public-facing Exchange servers, and no less than 357,629 could be impacted when the CVE-2020-0688 vulnerability is exploited by attackers.
Exchange administrators most likely did not prioritize the patch because the vulnerability is a post-authorization defect; nonetheless, attacks can happen when stolen email credentials or brute force tactics are used for guessing weak passwords.
GitHub published a number of proof-of-concept uses for the vulnerability, and nation-state Advanced Persistent Threat groups have reports of attempts to exploit the vulnerability utilizing brute force tactics to get credentials including stolen ones from previous data breaches.
If hackers exploit the vulnerability, it would allow them to access the Exchange Servers and compromise the whole Exchange environment. The hackers would be able to do the following on compromised servers: acquire all email messages, set up new email accounts, falsify information, and remotely execute code.
Microsoft in the past mentioned that no mitigations or workarounds could be carried out to stop exploitation. There is just one way to keep the vulnerability from being exploited – to apply the patch on all servers at risk.
Because it is known that there have been attacks already, besides patch application, administrators must also investigate to find out if conducted attacks were successful.
Rapid7 advises Exchange administrators to take a look at IIS logs and Windows Event for indications of compromise. Compromised email accounts that were used for attacking Exchange servers will have log files that contain traces of the exploit code.
The exploit attempts are seen in the Windows Application event log with source MSExchange Control Panel, event ID 4 and level Error. The log entry is going to show the compromised user account, a very lengthy error message which contains the text Invalid viewstate. These are parts of the encoded payload. A review of the IIS logs for requests to a path under /ecp (usually /ecp/default.aspx) can also be seen which consists of the string __VIEWSTATEGENERATOR and __VIEWSTATE.
Besides learning about an upsetting number of CVE-2020-0688 vulnerable Exchange servers, the researchers additionally discovered a worrying number of Exchange servers with missing updates for other critical vulnerabilities. 31,000 Exchange servers have not been updated since 2012 while 800 Exchange servers were never updated.
On October, Microsoft is going to end the support for Exchange 2010. What will happen to the 166,000 public-facing Exchange servers that still operate using Exchange 2010 when the support ends?