MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

The critical Microsoft Exchange Remote Code Execution (RCE) vulnerability labeled as CVE-2020-0688 was released by Microsoft on February 11, but it's gaining renewed attention after a Metasploit module was introduced on March 3. According to Microsoft, “a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.” Reports are now spreading widely about nation state actors scanning for the vulnerability to leverage attacks. Exploits for the vulnerability were available in early March, and deep and dark web forum users were actively seeking to capitalize on available exploits. In mid-March, a Metasploit integration created a renewed sense of urgency to implement patches for the vulnerability, with warnings from government agencies to patch as soon as possible.

Why is CVE-2020-0688 so Critical?

We asked Kroll experts Jeff Macko and Sam Smoker about this vulnerability, and why organizations must urgently patch it:

  • This vulnerability permits an attacker to run any code of their choosing as SYSTEM, the highest level of security on a windows system.
  • Depending on the network configuration, it may permit an attacker to pivot into the internal network and access additional hosts.
  • CVE-2020-0688 would likely permit an attacker to read, alter or send email on behalf of any user.
  • Organizations that allow off-network access to Outlook Web App (OWA) only are still vulnerable to this because the vulnerability is in Exchange Control Panel (ECP), one of its web components.
  • This vulnerability will be useful to actor groups, such as those aligned with nation-states, that have a trove of credentials from past breaches or phishing but no way to leverage those credentials against organizations due to measures like multi-factor authentication for VPN access. However, if the organization has not patched this vulnerability, all criminals would need is one valid username and password.
  • Exchange service accounts typically have very high privileges in Active Directory. An attacker that has gained an initial foothold but with an account that lacks local admin permissions can now pivot to SYSTEM on any vulnerable Exchange servers where the user has a mailbox, and depending on the server configurations, quickly scrape credentials to escalate to domain or enterprise admin.

 
Deep and Dark Web References to Remote Code Execution Vulnerability

On March 2, Kroll analysts noted that the user @cryptomaniac on the forum Exploit was seeking to buy ready-made exploits for the vlunerability.1 One day later, a user on Raidforums supplied a Github link to exploits and detect tools for CVE-2020-0688.2 

Figure 1 - On March 3, a User on Raidforums Posts a Link to Exploits for CVE-2020-0688

Metasploit Integration Renews Warnings to Patch 

When the MS Exchange RCE exploit was integrated into Metasploit on March 3, more attention was directed to the criticality of the vulnerability. This was followed by calls for action to patch more widely and efforts to increase awareness about the availability of exploits.  

MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

Figure 2 - A Tweet from March 3 Referencing a Github Link to the Metasploit Exploit

MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

Figure 3 - Mentions of CVE-2020-0688 Spiked on March 9 (Source: Silobreaker)

APT Groups Actively Seeking to Exploit Vulnerability

As multiple APT groups raced to exploit the unptached instances of CVE-2020-0688, the National Security Agency (NSA) posted a warning on its Twitter account reminding organizations to patch the flaw as quickly as possible.

MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups

The European Union CERT released a report on March 10 noting that multiple state-backed hacking groups were trying to exploit the REC-vulnerability CVE-2020-0688. The Department of Homeland Security (DHS) reiterated by stating, “Multiple APT hacking groups are actively targeting unpatched Microsoft exchange server flaws…if successful, an attacker could remotely install code with elevated privileges.

Kroll advises clients to follow the mitigation procedures provided by Microsoft and to patch accordingly. Kroll is providing incident response services to affected organizations and will continue to monitor the deep and dark web and open sources for new exploits against CVE-2020-0688. 

Sources
1 Web site; Exploit forum; URL : exploit.in ; 2 Mar 2020 ; accessed on 17 Mar 2020. 
2 Web site; Raidforums; URL: hxxps://raidforums.com; 3 March 2020; accessed on 17 Mar 2020.
3 Web site; CERT EU; URL: hxxps://cert.europa.eu ; 12 Mar 2020 ; accessed on 17 Mar 2020.



MS Exchange Critical Vulnerability CVE-2020-0688 Targeted by Multiple Actor Groups 2020-03-24T00:00:00.0000000 /en/insights/publications/cyber/microsoft-exchange-remote-code-execution-vulnerability /-/media/kroll/images/publications/featured-images/2019/rce-vulnerability.jpg publication {78D3F940-BF08-40FB-A7F6-B55FB2D9165B} {1AB4A94D-BDC5-4744-81D9-A9DF250E9807} {FF744058-87F5-470D-A638-A3EE0F8528F6} {4109FC75-F0BD-410F-8D42-7A3E7F1E7A5B} {C93B6EB0-4997-4312-946E-FEAC23A47496} {3C7B541B-9C46-4B7C-B32F-5171B3FA949B}

Related Services

Cyber Risk

Cyber Risk

End-to-end cyber security services provided by unrivaled experts.

Cyber Risk
Cyber Risk

Cyber Vulnerability Assessment

Services using cutting-edge tools to help clients map a prioritized path to increased cyber security.

Cyber Vulnerability Assessment
Cyber Risk

Computer Forensics

Expert computer forensic assistance at any stage of a digital investigation or litigation.

Computer Forensics

Insights

Cyber Risk

Kroll Nominated in Two Categories at the Advisen Cyber Risk Awards

Cyber Risk
Cyber Risk

The COVID-19 Coronavirus and the Healthcare Sector – A Targeted Sector in Crisis Mode

Cyber Risk
Cyber Risk

First Defense Call Center Services Now Available to Support COVID-19 Inquiries

Cyber Risk
Cyber Risk

Working at Home Securely is a Two-way Street

Cyber Risk