CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security patch fixes the weakness by correcting how Microsoft Exchange creates the keys during install. Security patches that supposed to fix this vulnerability have been placed for several months, but clearly, attackers still find servers to be attacked.
Attack Stages
- Successful attacker gains access through Social Engineering targeting endpoints, where they can collect credentials and via remote code execution focusing on the Internet Information Service (IIS) component of the target Exchange server.
- Attackers on the reconnaissance, persistence, and credential stage classifying local groups on the domain, then giving attackers a high account authority.
- Lateral movement uses windows Management Instrumentation where it can track, monitor server/computer to create service or schedule, and use PsExec were attackers can execute processes on another system and redirect output from any application as if it were running locally.
- Collection grants permission using new Management/Role assignment and export mailboxes.
- Remote access uses Plink to Putty use with other open-source VPN/RDP software.
- Then the final stage is data exfiltration was rar.exe copy archive files to web access path leading to the attackers.
The exchange servers lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided concept that these protections can interfere with normal Exchange functions.
Recommended defensive measure against Exchange Server attacks
- Have the latest patch or security upgrades
- Make sure all defense in infrastructure is enabled and monitored
- Review high and least account privileges & roles
- Restrict access of least-privilege and maintain credential hygiene
- Alert prioritization in detecting questionable behaviors and quickly act on the initial phase of any attack
Corporate IT infrastructure must be secured by the experts at all costs. The data loss and reputational damage caused by a successful attack on a reputable brand are way more costly than paying for the right experts to do the job. Now, what can be done after the data is leaked? It is possible to trace them to the dark web and investigate whether how these criminals will use the leaked data to launch another attack. iZOOlogic deals with investigating the Dark Web through the Data Loss Recovery services by threat hunting to help forecast emerging threats targeting your organization.
