NewsJan Kahmen8 min read

Microsoft Exchange zero-day Vulnerabilities threaten Hundreds of Thousands of Servers Worldwide

Tens of thousands of Exchange servers throughout Germany and even hundreds of thousands of servers worldwide are vulnerable and probably even infected. The reason for this are several security vulnerabilities in different versions of the Microsoft Exchange server that are classified as critical. Consequences can be, for example, the failure of important services and the collapse of business operations. The Federal Office for Information Security (BSI) advises companies to apply the Microsoft security updates immediately.


Table of Content

Quick Action is Called for

The common AST security process in DevOps or NoOps environments is described in the diagram below. The security consultant initially implements the security process in the CI/CD pipeline, after which he only acts in an advisory capacity. He supports the developers with tooling and in complex incidents.

Those who have not yet implemented an update must assume that the data of the Exchange server has been compromised. A high risk of attack is assumed, as proof-of-concept exploit codes are already available, which is why vulnerable systems should be urgently checked for corresponding anomalies. The BSI has already written to those companies which, according to the BSI's knowledge, have affected Exchange servers with warnings and recommendations for countermeasures. So far, more than 9,000 companies have been contacted by the BSI, but the number of affected companies will be significantly higher.

The four vulnerabilities of the Exchange servers, which Microsoft is trying to eliminate with current updates, are being actively exploited by hackers via remote access from the Internet. The attacks can sometimes have far-reaching consequences, as the Exchange server has high authorisations in the Active Directory in many installations. It is also worrying that there are thousands of Exchange systems that still have vulnerabilities that have been known for a long time but could never be closed with updates. According to the BSI, small and medium-sized companies are particularly affected by this. Often, not only is access to the company's email communication guaranteed, but even access to the entire company network.

The Security Vulnerability at a Glance

Affected by the CVE-2020-0688 vulnerability is the Exchange Control Panel (ECP) component, which affects all Exchange server installations. Until the last patch, all Exchange servers had the same validation key and validation algorithm in the web.config file. The POC exploits use the same validation key and validation algorithm to create a serialised __VIEWSTATE request parameter containing an embedded command signed with the valid key. By default, the POC does not attempt to encrypt the __VIEWSTATE data, although this is an option. The server receiving the malicious payload deserialises the __VIEWSTATE data and executes code as SYSTEM. The image above shows the execution of the POC exploit. The image below shows the Task Manager window running the malicious POC command from calc.exe as SYSTEM.

The exploit sends a POST request /owa/auth.owa. The request contains a valid username and password. If authentication is successful, the exploit requests the /ecp/default.aspx pages in an attempt to obtain the contents of __VIEWSTATEGENERATOR and the ASP.NET.SessionID. Using the data obtained by parsing __VIEWSTATEGNERATOR, the exploit creates a serialised payload containing the malicious command to be executed. The final serialised payload is then returned to /ecp/default.aspx.

The following systems are particularly vulnerable to this type of attack:

  • /ecp/default.aspx
  • /ecp/PersonalSettings/HomePage.aspx
  • /ecp/PersonalSettings/HomePage.aspx4E
  • /ecp/Organise/AutomaticReplies.slab
  • /ecp/RulesEditor/InboxRules.slab
  • /ecp/Organize/DeliveryReports.slab
  • /ecp/MyGroups/PersonalGroups.aspx
  • /ecp/MyGroups/ViewDistributionGroup.aspx
  • /ecp/Customize/Messaging.aspx
  • /ecp/Customize/General.aspx
  • /ecp/Customize/Calendar.aspx
  • /ecp/Customize/SentItems.aspx
  • /ecp/PersonalSettings/Password.aspx
  • /ecp/SMS/TextMessaging.slab
  • /ecp/TroubleShooting/MobileDevices.slab
  • /ecp/Customize/Regional.aspx
  • /ecp/MyGroups/SearchAllGroups.slab
  • /ecp/Security/BlockOrAllow.aspx

This is because the same validation key from web.config is used in each page for all these systems. This gives the attacker the ability to manipulate the VIEWSTATE.

Compromise Indicators

IIS Logs

The exploit creates a SYSMON event ID 4 in the application controls. An ERROR message appears in the event log, which contains the target page and the serialised payload. It makes sense in any case to alert on /ecp/root together with a large _VIEWSTATE variable, as multiple pages can be targeted.

The ATP Groups and their Behaviour Patterns

Currently, more than ten different ATP groups are increasingly exploiting the vulnerabilities to compromise email servers. Among them:

  • Tick: compressed the web server of a company based in East Asia and likely had access to the exploit before the release of the patches.
  • LuckyMouse: infected a government agency email server in the Middle East.
  • Calypso: infected the email servers of government agencies in the Middle East and South America. It also attacked other government agency servers in Africa, Asia and Europe.
  • Websiic: infected seven corporate email servers in Asia and one government entity in Eastern Europe.
  • Winnti Group: infected the email servers of an oil company and a construction equipment company in Asia.
  • Tonto Team: infected email servers of a procurement and consulting firm specialising in software development and cybersecurity.
  • ShadowPad activity: infected the email servers of a software development company based in Asia and a real estate company based in the Middle East.
  • Operation" Cobalt Strike: targeted around 650 servers, mainly in the US, Germany, the UK and other European countries.
  • Microceen: infected the Exchange server of a utility company in Central Asia.
  • DLTMiner: deployed PowerShell downloaders on several email servers previously attacked via the Exchange vulnerabilities.

Hackers apparently working for the Chinese Government

The American Cybersecurity as well as the Infrastructure Security Agency already issued emergency directives at the end of February to apply the latest patches for the Microsoft Exchange server. The risk of not taking action is considered unacceptable by the American authorities, as the vulnerabilities in the Microsoft Exchange server are exploited on a large scale and "persistent system access" is enabled.

Microsoft suspects the hacker group Hafnium, which most likely works for the Chinese government and primarily spies on US companies, is behind the attacks. Researchers in the health sector, law firms, civil society organisations, educational institutions and defence companies have already been affected.

Email Traffic in Hackers' Sights

At least 30,000 organisations in the US have been hit by particularly aggressive attacks, including mainly medium-sized businesses and city and municipal governments. The hackers are particularly targeting the organisations' email traffic.

In all incidents, a so-called "web shell" was left behind, which is an easy-to-use, password-protected hacking tool that can be accessed from any browser if administrator rights are available. Experts say it has already taken control of hundreds of thousands of servers worldwide.

Notices came from Virginia

Virginia-based IT security firm Volexity provided the first tip-off about the Microsoft Exchange server vulnerabilities. The target systems were attacked as early as 28 February. Even if the gaps had been patched on the same day, the malware would have been on vulnerable servers. The current wave of attacks is the second case of a major cyber campaign by foreign governments.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.