Sunday, March 7, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Multiple nation-state groups are hacking Microsoft Exchange servers

March 9, 2020
in Internet Security
Microsoft Exchange vulnerable to ‘PrivExchange’ zero-day
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Multiple government-backed hacking groups are exploiting a recently-patched vulnerability in Microsoft Exchange email servers.

The exploitation attempts were first spotted by UK cyber-security firm Volexity on Friday and confirmed today to ZDNet by a source in the DOD.

You might also like

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

Linux distributions: All the talent and hard work that goes into building a good one

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

Volexity did not share the names of the hacking groups exploiting this Exchange vulnerability. Volexity did not return a request for comment for additional details.

The DOD source described the hacking groups as “all the big players,” also declining to name groups or countries.

The Microsoft Exchange vulnerability

These state-sponsored hacking groups are exploiting a vulnerability in Microsoft Exchange email servers that Microsoft patched last month, in the February 2020 Patch Tuesday.

The vulnerability is tracked under the identifier of CVE-2020-0688. Below is a summary of the vulnerability’s technical details:

  • During installation, Microsoft Exchange servers fail to create a unique cryptographic key for the Exchange control panel.
  • This means that all Microsoft Exchange email servers released during the past 10+ years use identical cryptographic keys (validationKey and decryptionKey) for their control panel’s backend.
  • Attackers can send malformed requests to the Exchange control panel containing malicious serialized data.
  • Since hackers know the control panel’s encryption keys, they can ensure the serialized data is unserialized, which results in malicious code running on the Exchange server’s backend.
  • The malicious code runs with SYSTEM privileges, giving attackers full control of the server.

Microsoft released patches for this bug on February 11, when it also warned sysadmins to install the fixes as soon as possible, anticipating future attacks.

Nothing happened for almost two weeks. Things escalated towards the end of the month, though, when the Zero-Day Initiative, who reported the bug to Microsoft, published a technical report detailing the bug and how it worked.

The report served as a roadmap for security researchers, who used the information contained within to craft proof-of-concept exploits so they could test their own servers and create detection rules and prepare mitigations.

At least three of these proof-of-concepts found their way on GitHub[1, 2, 3]. A Metasploit module soon followed.

Just like in many other cases before, once technical details and proof-of-concept code became public, hackers also began paying attention.

On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets.

CVE-2020-0688 mass scanning activity has begun. Query our API for “tags=CVE-2020-0688” to locate hosts conducting scans. #threatintel

— Bad Packets Report (@bad_packets) February 25, 2020

Now, according to Volexity, the scans for Exchange servers have turned into actual attacks.

The first ones to weaponize this bug were APTs — “advanced persistent threats,” a term often used to describe state-sponsored hacker groups.

However, other groups are also expected to follow suit. Security researchers to whom ZDNet spoke earlier today said they anticipate that the bug will become very popular with ransomware gangs who regularly target enterprise networks.

Weaponizing older, useless phished credentials

This Exchange vulnerability is not, however, straightforward to exploit. Security experts don’t see this bug being abused by script kiddies (a term used to describe low-level, unskilled hackers).

To exploit the CVE-2020-0688 Exchange bug, hackers need the credentials for an email account on the Exchange server — something that script kiddies don’t usually have.

The CVE-2020-0688 security flaw is a so-called post-authentication bug. Hackers first need to log in and then run the malicious payload that hijacks the victim’s email server.

But while this limitation will keep script kiddies away, it will not APTs and ransomware gangs, experts said.

APTs and ransomware gangs often spend most of their time launching phishing campaigns, following which they obtain email credentials for a company’s employees.

If an organization enforces two-factor authentication (2FA) for email accounts, those credentials are essentially useless, as hackers can’t bypass 2FA.

The CVE-2020-0688 bug lets APTs finally find a purpose for those older 2FA-protected accounts that they’ve phished months or years before.

They can use any of those older credentials as part of the CVE-2020-0688 exploit without needing to bypass 2FA, but still take over the victim’s Exchange server.

A good point in this item: sometimes an APT will obtain some valid passwords for user accounts at a target org, yet not be able to make much immediate use of them due to 2FA being in place. However, it can hang on to those creds and wait patiently for new opportunities to emerge. https://t.co/HzY8CmSepM

— Brian in Pittsburgh (@arekfurt) March 7, 2020

Organizations that have “APTs” or “ransomware” on their threat matrix are advised to update their Exchange email servers with the February 2020 security updates as soon as possible.

All Microsoft Exchange servers are considered vulnerable, even versions that have gone end-of-life (EoL). For EoL versions, organizations should look into updating to a newer Exchange version. If updating the Exchange server is not an option, companies are advised to force a password reset for all Exchange accounts.

Taking over email servers is the Holy Grail of APT attacks, as this allows nation-state groups to intercept and read a company’s email communications.

Historically, APTs have targeted Exchange servers before. Past APTs that have hacked Exchange include Turla (a Russian-linked group) and APT33 (an Iranian group).

This blog post from TrustedSec contains instructions on how to detect if an Exchange server has been already hacked via this bug.


Credit: Zdnet

Previous Post

3 important trends in AI/ML you might be missing

Next Post

Artificial intelligence: good or bad for Philippine call centre workers? - South China Morning Post

Related Posts

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
Internet Security

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

March 7, 2021
Linux distributions: All the talent and hard work that goes into building a good one
Internet Security

Linux distributions: All the talent and hard work that goes into building a good one

March 7, 2021
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
Internet Security

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

March 7, 2021
Cyberattack shuts down online learning at 15 UK schools
Internet Security

Cyberattack shuts down online learning at 15 UK schools

March 6, 2021
Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments
Internet Security

Microsoft Exchange zero-day vulnerabilities exploited in attacks against US local governments

March 6, 2021
Next Post
Artificial intelligence: good or bad for Philippine call centre workers? – South China Morning Post

Artificial intelligence: good or bad for Philippine call centre workers? - South China Morning Post

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
Internet Security

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

March 7, 2021
Why do Machine Learning strategies fail and how to deal with them?
Machine Learning

Why do Machine Learning strategies fail and how to deal with them?

March 7, 2021
Linux distributions: All the talent and hard work that goes into building a good one
Internet Security

Linux distributions: All the talent and hard work that goes into building a good one

March 7, 2021
Enhance your gaming experience with this sound algorithm software
Machine Learning

Enhance your gaming experience with this sound algorithm software

March 7, 2021
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
Internet Security

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

March 7, 2021
How Optimizing MLOps can Revolutionize Enterprise AI
Machine Learning

How Optimizing MLOps can Revolutionize Enterprise AI

March 6, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now March 7, 2021
  • Why do Machine Learning strategies fail and how to deal with them? March 7, 2021
  • Linux distributions: All the talent and hard work that goes into building a good one March 7, 2021
  • Enhance your gaming experience with this sound algorithm software March 7, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates