Exchange Server Bug Exposes a Big Risk to Hackers

  • By Dawna M. Roberts
  • Published: Oct 02, 2020
  • Last Updated: Mar 18, 2022

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of them are still vulnerable. 

A Hacker’s Dream

Unnamed government-backed hackers have been using the Exchange server bug (CVE-2020-0688) to execute code using open-source malware and exploit the email store. Microsoft released a patch in February and issued a warning to Exchange server clients. By April, security experts noted that at least 350,000 Exchange servers were still vulnerable and had not been patched. 

The Technical Details

The Exchange server flaw is related to the fact that all Exchange server versions over the past ten years use the same cryptographic keys controlling the backend panel. Using malware, cybercriminals can take full control of the system and access anything they want.

For the better part of this year, Microsoft products have been under siege by various hacker groups targeting a vulnerability in Microsoft’s Internet Information Service (IIS) and more recently this Exchange server issue. 

Hardik Suri, a member of the Microsoft Defender ATP Research Team, reported that, “In many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web-accessible paths on the server.” The scenario is similar to what is going on in Australia with multiple attacks against business servers within their country.

Suri went on to say, “The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain.” Threat actors use various open-source malware and programs like Mimikatz and MemoryModule to inject code and execute system functions.

Almost with a hint of awe and admiration, Suri notes that “The binary used the open-source MemoryModule library to load the binary using   reflective DLL injection . Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.”

He also warned that these intrusions gave hackers “unrestricted access to any users or group in the organization.” 

Hackers also targeted Microsoft Defender Antivirus and disabled archive scanning to steal .pst files using tools like rar.exe. 

What Microsoft Has to Say About It

Microsoft strongly urges all Microsoft Exchange server customers to apply the patch immediately. Additionally, Suri recommends that they enable multi-factor authentication on all Windows 10 machines.

Microsoft security experts implore Exchange server techs to do some research to determine if anyone has exploited their exchange server by looking for artifacts left by hackers in the Windows Event Log and IIS logs. Suri warns that “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate.”

He additionally recommended that companies review their high-level groups like Administrators, Remote Desktop Users, and Enterprise Admins. Additional tips for security experts include practicing the “least-privilege principle” and creating alerts for any suspicious activity on Exchange servers. Installing and configuring Microsoft Defender ATP was also mentioned for behavioral monitoring of IIS and Exchange. 

About the Author
IDStrong Logo

Related Articles

46,000 Veterans and 13 Community Care Providers Affected by a VA Data Breach

The Incident Early last week, the Department of Veteran Affairs (VA) was breached by an unknown c ... Read More

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close