Attackers Target Vulnerable Exchange ServersMicrosoft Urges Patching, Other Mitigation Steps
Microsoft is warning its customers that attackers are increasingly targeting unpatched Exchange servers, with a significant uptick in activity since April.
In February, Microsoft issued a patch for a vulnerability tracked as CVE-2020-0688, which, if exploited, could allow attackers to perform remote code execution and take over an infected device. This flaw affects numerous versions of Microsoft Exchange Server dating back to 2010.
Then in April, security researchers at Rapid7 Labs reported that attackers had started to develop exploits in the wild and that approximately 350,000 Exchange servers exposed to the internet remained unpatched (see: Microsoft Exchange: 355,000 Servers Lack Critical Patch).
Since then, Microsoft has noticed a significant increase in malicious activity using open source tools to take advantage of the vulnerability, the company says in a Wednesday blog. Many organizations have still failed to apply the patch despite the warnings, the blog notes.
"As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques," Hardik Suri, a researcher with the Microsoft Defender ATP Research Team, writes in the blog. "The security update that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target."
After gaining access to a vulnerable Exchange server, attackers deploy web shells - malicious code written in common programming languages - into one of the many web accessible paths on the server, Microsoft reports. This enables hackers to steal data or perform malicious actions for further compromise.
Microsoft found that common access paths for web shell deployment were ClientAccess and FrontEnd directories, which provide services such as Outlook on the web, the Exchange Admin Center and AutoDiscover. A common web shell being used in the attacks is the credential-stealer China Chopper, which is hidden in the system using common file names, the blog notes.
After deploying web shells, the hackers run exploratory commands, identify targets and run built-in Exchange Management Shell commands to explore the infected Exchange server, according to the report. They collect a list of all the Exchange Servers on the network as well as details about individual mailboxes, such as role assignments and permissions, according to the blog.
"In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege," Microsoft says.
The attackers even add new user accounts on infected Exchange servers and add the account to high-privilege groups such as administrators and remote desktop users. This enables hackers to access the server without the need to deploy any remote access tools, providing them unrestricted access to any individual or group in the targeted organization, according to the blog.
Researchers observed the use of a technique called DCSYNC, which abuses the Active Directory replication capability to request account information, including password hashes, and can be performed without running a command on the domain controller.
To avoid detection, attackers are disabling Microsoft Defender Antivirus as well as automatic updates, Microsoft says.
"The attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats and demonstrating how behavior-based detections are key to protecting organizations," according to the blog.
Protecting Exchange Servers
Microsoft urges organizations to promptly patch their systems and leave anti-virus protection enabled on Exchange servers.
Organizations should review high-privilege groups for suspicious additions or removals and restrict access to only those who need it, the company says. Directories such as ClientAccess and FrontEnd should also be monitored for any new file creation.
"Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers," the blog states. "Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key."
Kevin Poindexter, a senior consultant at risk management group Crypsis Group, tells Information Security Media Group that Exchange server vulnerabilities are often overlooked.
He offers additional risk mitigation tips: "We recommend that security teams monitor their service account-based applications closely, know the normal usage patterns of those accounts, and restrict log-on times, so that anomalous behavior stands out, as we have recently seen threat actors exploit these as another way into the Exchange server."
Managing Editor Scott Ferguson contributed to this report.