CVE-2020-0688 is a critical vulnerability affecting Microsoft Exchange Server, allowing attackers to compromise corporate mailbox servers and conduct internal phishing campaigns or move laterally. Find out how this vulnerability is being exploited and how to mitigate against it in today’s edition of the 12 Vulns of Christmas blog series.
CVE-2020-0688 is a critical vulnerability affecting Microsoft Exchange Server, allowing threat actors to achieve remote code execution (RCE) on compromised hosts by exploiting a .NET serialization vulnerability on the Exchange Control Panel (ECP) web page. While this is indeed a severe software flaw that would allow actors to compromise corporate networks, CVE-2020-0688 is a post-authentication flaw that requires threat actors to possess credentials for a valid email account on the Exchange server, making the vulnerability harder to exploit. This is unlikely to phase threat actors which include techniques like spear-phishing, credential stuffing and password spraying in their tactics, techniques and procedures (TTPs) in order to obtain such email credentials.
The vulnerability was originally disclosed by Microsoft on 11 February 2020 through its monthly list of patches. The vulnerability only gained attention from threat actors on 25 February when the Zero Day Initiative (ZDI), a vulnerability broker and bug bounty platform, published a technical report on how the vulnerability works. Security researchers were able to detect scanning activity for CVE-2020-0688 in the following days, indicating that threat actors had started weaponizing Proof of Concept (PoC) code uploaded to Github to scan for vulnerable servers and exploit them. A Metasploit moduel was published soon after on 3 March, further contributing to lowering the bar for threat actors to exploit the vulnerability against affected organisations.
Due to the potential impact of compromising a Microsoft Exchange server allowing rapid lateral movement, Orpheus analysts had assessed that both nation-state actors and ransomware gangs were highly likely to exploit CVE-2020-0688 in order to infect corporate networks and devices. Past incidents indicating that both sets of actors have already targeted Microsoft Exchange servers using other vulnerabilities, such as CVE-2018-8581. March also saw reports that nation-state actors were exploiting CVE-2020-0688 to run system commands to conduct further reconnaissance, deploy backdoors for persistent access, and execute in-memory post-exploitation frameworks.
ZDI has also published research demonstrating that threat actors who control Microsoft Exchange servers would be able to target employees with internal phishing campaigns using legitimate corporate accounts, further enabling lateral movement and credential collection. Researchers also noted that employees with two-factor authentication (2FA) enabled posed challenges to threat actors exploiting the vulnerability, reiterating the effectiveness of the measure for mitigation against credential-based attacks.
We were able to further confirm through threat-intelligence sharing platforms that the vulnerability has been exploited in the wild by both nation-state actors such as Berserk Bear, Ocean Lotus, and other Russian and Chinese APTs to target organisations in the government, aviation and defence sectors. Indicators of Compromise (IOCs) also indicate that the vulnerability may have been leveraged by the Egregor ransomware strain, although there have been no public examples of this.
Cybercriminal interest in CVE-2020-0688 has also been high on dark web forums. The following post on a Russian-language dark web forum includes forum users discussing the vulnerability as a potential method for an internal phishing campaign, with one user disclosing access to a corporate user’s Outlook mailbox.
As a result of the severity and continued interest in CVE-2020-0688, we recommend organisations take the following steps to effectively mitigate against the vulnerability:
- Apply the official security patches provided by Microsoft
- Enable 2FA by default on corporate mailboxes in order to prevent account takeover
- Use custom firewall rules to block traffic containing a “_VIEWSTATE” query parameter for the Exchange Control Panel