State-backed APTs are targeting Microsoft Exchange Servers unpatched against CVE-2020-0688.
The patch was released in Microsoft's February Patch Tuesday, making it now more than a month old. The vulnerability is a remote-code execution flaw arising due to a static cryptographic key in Microsoft Exchange Server's on-by-default Exchange Control Panel (ECP).
Trend Micro's Zero-Day Initiative describes the vulnerability as follows: "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability.
"The specific flaw exists within the Exchange Control Panel web application. The product fails to generate a unique cryptographic key at installation, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM."
"The vulnerability is actively being exploited in the wild... If your organization has not yet patched, you're going to want to patch or disable ECP as quickly as possible."
Incident response security firm Volexity had reported exploitation in the wild earlier this month.
However, Kenna warns that organisations aren't patching quickly enough - especially when compared to the speed with which the January Patch Tuesday updates were applied by Microsoft Exchange Server users.
It warns that less than 15 per cent of vulnerable systems have either been patched or remediated in some way, compared to more than 50 per cent at the same time following release of the January patches.
Using data on internet-facing Outlook Web Access (OWA) servers provided by BinaryEdge, Kenna found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable' and 26 per cent ‘potentially vulnerable'.
"Yes, this vulnerability requires a first credential, but if you do some quick searching in one of the breach databases, like Dehashed or Spycloud, you'll quickly see this isn't a barrier at all. It's reasonable to assume that there's at least one working credential for any given enterprise available with minimal effort at any given time," Kenna concluded.
"Attackers are effectively one weak or leaked user password away from complete access to your organization. When combined with the external facing nature of OWA and the ECP - on by default in Exchange, this is likely to be one of the most devastating vulnerabilities of 2020."
The first attack was launched last month, and the compromise is still on-going
QRANGE is working on a three devices to extend the benefits of true randomness
'GDPR has a clause excepting work in the overwhelming public interest', says Secretary of State for Health Matt Hancock
The researchers were able to unlock military files simply by entering 'guest' for the username and password
Malwarebytes claims Pakistan state-sponsored group is using a fake Indian government advisory to spread remote-access Trojan