APT Groups Exploit CVE-2020-0688 to Compromise Microsoft Exchange Servers

Delaware, USA – March 10, 2020 – Adversaries switched from searching for vulnerable Microsoft Exchange Servers to exploiting CVE-2020-0688 remote code execution flaw. About two weeks ago, a detailed technical report on the vulnerability was published, and adversaries began scanning the internet to create lists of potential targets. The report has pushed security researchers to create proof-of-concept exploits, and at least three working versions published on GitHub, and Rapid7 created a module for the Metasploit penetration testing framework. At the end of last week, several sources reported that state-sponsored cyberespionage units already operate CVE-2020-0688 in order to gain access to the organization’s servers. Cyber-security firm Volexity has detected a surge in attacks by APT groups exploiting this vulnerability:

“Volexity has observed multiple APT actors exploiting or attempting to exploit on-premise Exchange servers. In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use. Many organizations employ two-factor authentication (2FA) to protect their VPN, e-mail, etc., limiting what an attacker can do with a compromised password. This vulnerability gives attackers the ability to gain access to a significant asset within an organization with a simple user credential or old service account. This issue further underscores why changing passwords periodically is a good best practice, regardless of security measures like 2FA. In recent attacks, Volexity has observed the Exchange ECP vulnerability leveraged to do the following; run system commands to conduct reconnaissance, deploy webshell backdoor accessible via OWA; execute in-memory post-exploitation frameworks,” experts said. In addition to state-sponsored groups, this vulnerability can be exploited by financially-motivated cybercriminals, in particular – ransomware gangs.

Content available on Threat Detection Marketplace to spot attempts to exploit this flaw:
CVE-2020-0688 Exploitation via Eventlog – https://tdm.socprime.com/tdm/info/sVnT2KbqkY7R/
CVE-2020-0688 Exchange Exploitation via Web Log – https://tdm.socprime.com/tdm/info/H5LSb8XN3A9d/
CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys – https://tdm.socprime.com/tdm/info/GRtQkopjNbh6/
CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server – https://tdm.socprime.com/tdm/info/5OaEtexCqJwO/