Microsoft Exchange servers are an ideal target for attackers looking to burrow into enterprise networks, says Microsoft, as “they provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.”
And while they are not the initial entrance point in the majority of cases, the company has witnessed lately a rise in attacks aimed at compromising Exchange servers by exploiting an unpatched flaw – more specifically CVE-2020-0688, a patch for which was released in February 2020.
While the attackers need to have compromised, valid email credentials to access the server before attempting to exploit the flaw, they are obviously succeeding in getting their hands on them. (Kevin Beaumont explained why that’s not much of a problem.)
“This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges,” the Microsoft Defender ATP Research Team noted. And, unfortunately, there are still too many internet-facing, unpatched Exchange servers out there.
The attack chain
According to Microsoft, April was the month when multiple campaigns began to target Exchange servers.
After gaining access, the attackers proceeded to install web shells to allow them to control the server remotely, and then started exploring its environment for info on domain users and groups, other Exchange servers in the network, and mailboxes, as well as scanni ..