Tens of thousands of Exchange servers throughout Germany and even hundreds of thousands of servers worldwide are vulnerable and probably even infected. The reason for this are several security vulnerabilities in different versions of the Microsoft Exchange server that are classified as critical. Consequences can be, for example, the failure of important services and the collapse of business operations. The Federal Office for Information Security (BSI) advises companies to apply the Microsoft security updates immediately.
The common AST security process in DevOps or NoOps environments is described in the diagram below. The security consultant initially implements the security process in the CI/CD pipeline, after which he only acts in an advisory capacity. He supports the developers with tooling and in complex incidents.
Those who have not yet implemented an update must assume that the data of the Exchange server has been compromised. A high risk of attack is assumed, as proof-of-concept exploit codes are already available, which is why vulnerable systems should be urgently checked for corresponding anomalies. The BSI has already written to those companies which, according to the BSI's knowledge, have affected Exchange servers with warnings and recommendations for countermeasures. So far, more than 9,000 companies have been contacted by the BSI, but the number of affected companies will be significantly higher.
The four vulnerabilities of the Exchange servers, which Microsoft is trying to eliminate with current updates, are being actively exploited by hackers via remote access from the Internet. The attacks can sometimes have far-reaching consequences, as the Exchange server has high authorisations in the Active Directory in many installations. It is also worrying that there are thousands of Exchange systems that still have vulnerabilities that have been known for a long time but could never be closed with updates. According to the BSI, small and medium-sized companies are particularly affected by this. Often, not only is access to the company's email communication guaranteed, but even access to the entire company network.
Affected by the CVE-2020-0688 vulnerability is the Exchange Control Panel (ECP) component, which affects all Exchange server installations. Until the last patch, all Exchange servers had the same validation key and validation algorithm in the web.config file. The POC exploits use the same validation key and validation algorithm to create a serialised __VIEWSTATE request parameter containing an embedded command signed with the valid key. By default, the POC does not attempt to encrypt the __VIEWSTATE data, although this is an option. The server receiving the malicious payload deserialises the __VIEWSTATE data and executes code as SYSTEM. The image above shows the execution of the POC exploit. The image below shows the Task Manager window running the malicious POC command from calc.exe as SYSTEM.
The exploit sends a POST request /owa/auth.owa. The request contains a valid username and password. If authentication is successful, the exploit requests the /ecp/default.aspx pages in an attempt to obtain the contents of __VIEWSTATEGENERATOR and the ASP.NET.SessionID. Using the data obtained by parsing __VIEWSTATEGNERATOR, the exploit creates a serialised payload containing the malicious command to be executed. The final serialised payload is then returned to /ecp/default.aspx.
The following systems are particularly vulnerable to this type of attack:
This is because the same validation key from web.config is used in each page for all these systems. This gives the attacker the ability to manipulate the VIEWSTATE.
The exploit creates a SYSMON event ID 4 in the application controls. An ERROR message appears in the event log, which contains the target page and the serialised payload. It makes sense in any case to alert on /ecp/root together with a large _VIEWSTATE variable, as multiple pages can be targeted.
Currently, more than ten different ATP groups are increasingly exploiting the vulnerabilities to compromise email servers. Among them:
The American Cybersecurity as well as the Infrastructure Security Agency already issued emergency directives at the end of February to apply the latest patches for the Microsoft Exchange server. The risk of not taking action is considered unacceptable by the American authorities, as the vulnerabilities in the Microsoft Exchange server are exploited on a large scale and "persistent system access" is enabled.
Microsoft suspects the hacker group Hafnium, which most likely works for the Chinese government and primarily spies on US companies, is behind the attacks. Researchers in the health sector, law firms, civil society organisations, educational institutions and defence companies have already been affected.
At least 30,000 organisations in the US have been hit by particularly aggressive attacks, including mainly medium-sized businesses and city and municipal governments. The hackers are particularly targeting the organisations' email traffic.
In all incidents, a so-called "web shell" was left behind, which is an easy-to-use, password-protected hacking tool that can be accessed from any browser if administrator rights are available. Experts say it has already taken control of hundreds of thousands of servers worldwide.
Virginia-based IT security firm Volexity provided the first tip-off about the Microsoft Exchange server vulnerabilities. The target systems were attacked as early as 28 February. Even if the gaps had been patched on the same day, the malware would have been on vulnerable servers. The current wave of attacks is the second case of a major cyber campaign by foreign governments.