Microsoft: Patch IIS Bug Now to Protect Exchange Servers
Microsoft has warned Exchange customers to patch their servers urgently after reporting a surge in attacks exploiting an Internet Information Service (IIS) vulnerability.
That flaw, CVE-2020-0688, was patched in February, but attackers are still finding victims compromised by such attacks. With access to the targeted server, hackers often deploy a web shell to steal data or perform other malicious actions in the future, explained Hardik Suri of the Microsoft Defender ATP Research Team.
“If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance,” Suri added.
“This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”
Following a web shell deployment, attackers may perform reconnaissance, perhaps using EternalBlue to identify vulnerable machines on the network. If the server has been misconfigured, they may have gained privileges that enable them to add a new account for persistence.
Compromised Exchange servers can also enable credential access for some of the “most sensitive users and groups in an organization,” said Suri.