Multiple nation-state groups are hacking Microsoft Exchange servers

[itman 1,659]

Government-backed groups are exploiting CVE-2020-0688 to take over Exchange email servers.

Quote

Multiple government-backed hacking groups are exploiting a recently-patched vulnerability in Microsoft Exchange email servers.

The exploitation attempts were first spotted by UK cyber-security firm Volexity on Friday and confirmed today to ZDNet by a source in the DOD.

The Microsoft Exchange vulnerability

These state-sponsored hacking groups are exploiting a vulnerability in Microsoft Exchange email servers that Microsoft patched last month, in the February 2020 Patch Tuesday.

The vulnerability is tracked under the identifier of CVE-2020-0688. Below is a summary of the vulnerability's technical details:

• During installation, Microsoft Exchange servers fail to create a unique cryptographic key for the Exchange control panel.
• This means that all Microsoft Exchange email servers released during the past 10+ years use identical cryptographic keys (validationKey and decryptionKey) for their control panel's backend.
• Attackers can send malformed requests to the Exchange control panel containing malicious serialized data.
• Since hackers know the control panel's encryption keys, they can ensure the serialized data is unserialized, which results in malicious code running on the Exchange server's backend.
• The malicious code runs with SYSTEM privileges, giving attackers full control of the server.

Microsoft released patches for this bug on February 11, when it also warned sysadmins to install the fixes as soon as possible, anticipating future attacks.

https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/

This blog posting details how you can determine if you have already been exploited by this vulnerability: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

Edited March 9, 2020 by itman

[Hpoonis 7]

I don't get it. If the patch has gone last month, presumably this has closed the hole. In which case, how can these systems be exploited if patched?

[itman 1,659]

4 minutes ago, Hpoonis said:

I don't get it. If the patch has gone last month, presumably this has closed the hole. In which case, how can these systems be exploited if patched?

You haven't applied the patch yet.

You were exploited prior to the patch being released or applied.

Edited March 9, 2020 by itman

[Hpoonis 7]

Probably about time the world steered away from microspasm anyway.

[itman 1,659]

This report is dated 2/26/2020:

Quote

Have there been reports of in the wild exploitation?

Yes. Third party researchers have observed active in the wild attacks at this time. Microsoft has not commented publicly confirming this. Attribution is unknown at this time.

https://fortiguard.com/threat-signal-report/3403/attacks-observed-in-the-wild-exploiting-cve-2020-0688-microsoft-exchange-validation-key-remote-code-execution-vulnerability

Edited March 9, 2020 by itman

[itman 1,659]

Quote

The post made it clear that an attacker could exploit a vulnerable Exchange server if the following three criteria were met:

1. The Exchange Server had not been patched since February 11, 2020.
2. The Exchange Control Panel (ECP) interface was accessible to the attacker.
3. The attacker has a working credential that allows them to access the Exchange Control Panel in order to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR value from a hidden field within the page source. The credential leveraged by the attacker does not need to be highly privileged or have ECP access.

Shortly after the post was published, Volexity began seeing this vulnerability exploited in the wild by advanced persistent threat (APT) actors. Then on March 4, 2020, Rapid7 released a module that would incorporate this exploit into the Metasploit penetration testing framework.

https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/

Edited March 9, 2020 by itman

[peteyt 393]

10 hours ago, Hpoonis said:

Probably about time the world steered away from microspasm anyway.

Problem is every OS suffers from things such as vunrabilities, bugs etc. Problem is a lot of people don't update their systems. A lot of wannacry victims where using XP still for example which has been unsupported for years.

[Nightowl 202]

7 hours ago, peteyt said:

Problem is every OS suffers from things such as vunrabilities, bugs etc. Problem is a lot of people don't update their systems. A lot of wannacry victims where using XP still for example which has been unsupported for years.

Mostly people doesn't really care about their systems and don't know that it's not supported anymore I believe , and if you go tell people that 123 happened to their system , they will laugh at you and tell you who cares.. , because really they don't care about their systems.

[Hpoonis 7]

With every iteration of ms software, it bloats and bloats but fails to really improve.  User functionality is reduced at the expense of adding extra garbage that could be eliminated.  As for exchange, the end-user couldn't give a toss, they use the mailtool outlook and ANYTHING could be sitting behind that.

Since switching to win10 (3 months), I have had 2 instances where my raid1 is re-synchronising. Previously, win7, I had 2 raid1 volumes and no re-synch in 4 years!  Currently, it has been running re-synch since 8pm last night (13+ hours).  Previously, I removed the mirror and recreated the volumes which was much faster.  LVM on Linux synchs WAY faster.

Windows and microfart are a closed-system blight on the tech world and the sooner it is up against the wall the better.

Edited March 10, 2020 by Hpoonis

[Nightowl 202]

1 hour ago, Hpoonis said:

With every iteration of ms software, it bloats and bloats but fails to really improve.  User functionality is reduced at the expense of adding extra garbage that could be eliminated.  As for exchange, the end-user couldn't give a toss, they use the mailtool outlook and ANYTHING could be sitting behind that.

Since switching to win10 (3 months), I have had 2 instances where my raid1 is re-synchronising. Previously, win7, I had 2 raid1 volumes and no re-synch in 4 years!  Currently, it has been running re-synch since 8pm last night (13+ hours).  Previously, I removed the mirror and recreated the volumes which was much faster.  LVM on Linux synchs WAY faster.

Windows and microfart are a closed-system blight on the tech world and the sooner it is up against the wall the better.

Take , you seem to be angry , play Candy Crush , Bill Gates believes that it's the right idea to relax.

Atleast with Linux , it's open source , too much people looking at the code including malware makers , but one good thing that too many people can see the bug and report it or something similar like this

Unlike Microsoft bringing you bugs that is in the system since Windows XP days , or each upgrade breaks the hell out of your system , and it's not really nice when you have hundreds.

I don't know what are they thinking , but for sure they are not thinking it right , and they want you always to be online with microsoft account and hotmail account and skype account , it's like yea come have all of your food from us , we offer you windowed foods , but it's very expensive and once you pay you keep getting problems and crashes with drivers updates and updates

 

Ahh you don't want to upgrade? please pay more hundreds of dollars to get an Enterprise LTSB version so we don't force you to upgrade and break all of your machines at once and make you run like a dog trying to fix it.. ,

 

Still want to play Candy Crush? no I remove it , but here it is I am your Windows 10 , I will give you Candy Crush whenever I think I can , and I need your data and location and everything about your system so I can develop better , I am Windows 10.

Microsoft urges you not to use SMB1 because it's obsolete , yet you go install SRV 16 or W10 , you have enabled by default , cute Microsoft..

Yet they believe that their userbase is so much large and they are being targeted like hell has opened at them , I believe they should do something to prevent all of that madness , with proper fixing and proper and more secure coding and re-viewing and better updating speed that won't tell you to restart everytime and you want half a year for the server to start again

They better bring more people for this , and their funny story about Windows Defender that it's possible to protect your machine , while on youtube people make fun of it , with ransoms , or with unleashing lot of threats at once over it.

It's very funny with Microsoft these days , you upgrade , 3 days after , you get notified for next feature upgrade , I am not forcing you to upgrade but I will keep asking you till you upgrade

And before, click check for updates you are in the trap , you are downloading a new version while your version hasn't expired , you can stop me only if you stop the service.

It's like buying a car and your car decides where to drive , very nice.

Edited March 10, 2020 by Nightowl

[itman 1,659]

13 hours ago, peteyt said:

A lot of wannacry victims where using XP still for example which has been unsupported for years.

Actually, that is not true. Most of the victims were running Win 7:

Quote

According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7, with less than one in a thousand running Windows XP. 2008 R2 Server clients were also hit hard, making up just over 1 percent of infections.

https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics

-EDIT- Where the confusion started in regards to the Wannacry episode was that it used the NSA developed SMBv1 exploits; primarily EternalBlue.

Win XP and earlier versions only support SMBv1 protocol. So it was initially assumed those were the vulnerable OS versions. Wrong! SMBv1 protocol is installed on all Win OS versions including the latest Win 10 1909. For Win 10 versions 1803+, SMBv1 is supposed to be automatically removed 10 days after OS installation if it is not used by any app software. Well, I have found out that really doesn't happen.

Edited March 10, 2020 by itman

[itman 1,659]

NSA Warns About Microsoft Exchange Flaw as Attacks Start

Quote

 

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.

NSA's tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.

A U.S. Department of Defense (‎DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn't name the groups or the countries behind them.

 

https://www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/

[peteyt 393]

On 3/10/2020 at 7:16 AM, Nightowl said:

Mostly people doesn't really care about their systems and don't know that it's not supported anymore I believe , and if you go tell people that 123 happened to their system , they will laugh at you and tell you who cares.. , because really they don't care about their systems.

Problem is a lot refuse to upgrade from obsolete versions even after they are warned. Yet the same people are the ones that will kick off and flame MS when they get infected or something because they are using something unsupported that is out of date. 

Don't get me wrong MS and windows isn't perfect, far from it, but your asking for trouble if you don't update/upgrade. It's the same with users who use very old eset versions. Even if it still gets signature updates a lot of the newer technologies are not included. For example I've seen a few people complain about getting ransomware infections. Usually a lot of these don't have RDP locked down properly and eset password protected but a lot also where using old versions that didn't have the ransomware shield module. Not to mention newer versions also include bug fixes

[Thomas F. 0]

On 3/10/2020 at 8:16 AM, Nightowl said:

Mostly people doesn't really care about their systems and don't know that it's not supported anymore I believe 

Are you serious? Those cannot be official IT personell. We know of every patch for every system we use and would never say "I don't care" as this would be our last action in our jobs before we get fired.

[Nightowl 202]

Just now, Thomas F. said:

Are you serious? Those cannot be official IT personell. We know of every patch for every system we use and would never say "I don't care" as this would be our last action in our jobs before we get fired.

I am not talking about IT Personnel , for sure they should be kicked if that is the perspective , I am talking about normal home users that are not Gamers(because gamers will be forced to upgrade because of DirectX) , they won't bother to look for updates or upgrades , because all they use their computer is for that normal work/study or simple game or film.

[Thomas F. 0]

Just now, Nightowl said:

I am not talking about IT Personnel , for sure they should be kicked if that is the perspective , I am talking about normal home users that are not Gamers(because gamers will be forced to upgrade because of DirectX) , they won't bother to look for updates or upgrades , because all they use their computer is for that normal work/study or simple game or film.

I guess you are right.  For that reason MS does automatic updates. I really wonder though why there are so many Russian clients and (web)servers that are not patched and therefore used as zombies. Any idea?

 

[Nightowl 202]

1 minute ago, Thomas F. said:

I guess you are right.  For that reason MS does automatic updates. I really wonder though why there are so many Russian clients and (web)servers that are not patched and therefore used as zombies. Any idea?

 

Many system administrators are afraid of updates as they run customized code or some kind of software that might break with updates , or some servers have sleeping admins , or they might be lazy or have their own reasons that I don't know them , but I recommend against delaying updates

This is why I like Linux , updates are sent in short time and not huge sizes , which won't take much time to update and restart , etc.

security fixes are brought really fast and in small sizes , you don't need 2 hours of preparing to download the update.

[peteyt 393]

1 hour ago, Nightowl said:

Many system administrators are afraid of updates as they run customized code or some kind of software that might break with updates , or some servers have sleeping admins , or they might be lazy or have their own reasons that I don't know them , but I recommend against delaying updates

This is why I like Linux , updates are sent in short time and not huge sizes , which won't take much time to update and restart , etc.

security fixes are brought really fast and in small sizes , you don't need 2 hours of preparing to download the update.

I know a few years back a lot of companies where still using XP and it wouldn't surprise me if this was still the case. For many this was due to using stuff incompatible with newer OS's and it being too expensive to upgrade. This could be even more of a challenge if there where multiple systems and systems with hardware that would also need replaced.

You often here the IT departments have complained about old systems but it often falls on deaf ears until it's far too late

[Nightowl 202]

4 minutes ago, peteyt said:

I know a few years back a lot of companies where still using XP and it wouldn't surprise me if this was still the case. For many this was due to using stuff incompatible with newer OS's and it being too expensive to upgrade. This could be even more of a challenge if there where multiple systems and systems with hardware that would also need replaced.

You often here the IT departments have complained about old systems but it often falls on deaf ears until it's far too late

That is very true , I still see places that run Windows XP , and Windows 7 and I believe it's easy to exploit them using metasploit.

[itman 1,659]

80% of all exposed Exchange servers still unpatched for critical flaw

Quote

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.

This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.

Microsoft patched this RCE bug on the February 2020 Patch Tuesday and tagged it with an "Exploitation More Likely" exploitability index assessment, hinting at the vulnerability being an attractive target for attackers.

https://www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/

Edited April 7, 2020 by itman