APT Groups Attack Exchange Servers Via Patched Flaw (Mar 9, 2020)
Threat researchers are Volexity have discovered an exploit in the wild for a Microsoft Exchange Control Panel (ECP) vulnerability, approximately two weeks after Microsoft released a patch for the vulnerability. The ECP vulnerability (CVE-2020-0688) is a result of the “Exchange Server failing to properly create unique cryptographic keys at the time of installation,” according to Trend Micro’s Zero Day Initiative. The exploit requires access to compromised credentials, and Volexity has observed threat actors exploiting the vulnerability to conduct reconnaissance, deploy webshell backdoors, and execute in-memory post-exploitation frameworks, leading the researchers to believe that state-sponsored Advanced Persistent Threat (APT) groups may be behind the detected attacks.
Recommendation: It is important that all users, especially Administrators, change passwords periodically as a standard practice, regardless of additional security measures, such as Multi-Factor Authentication (MFA). Also, this story portrays the importance of keeping all software up to date with the latest security patches.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.