BLOG: 12 Vulnerabilities of Christmas- CVE-2020-0688
CVE-2020-0688 is a critical vulnerability affecting Microsoft Exchange Server, allowing attackers to compromise corporate mailbox servers and conduct internal phishing campaigns or move laterally. Find out how this vulnerability is being exploited and how to mitigate against it in today’s edition of the 12 Vulns of Christmas blog series.
CVE-2020-0688 is a critical vulnerability affecting Microsoft Exchange Server, allowing threat actors to achieve remote code execution (RCE) on compromised hosts by exploiting a .NET serialization vulnerability on the Exchange Control Panel (ECP) web page. While this is indeed a severe software flaw that would allow actors to compromise corporate networks, CVE-2020-0688 is a post-authentication flaw that requires threat actors to possess credentials for a valid email account on the Exchange server, making the vulnerability harder to exploit. This is unlikely to phase threat actors which include techniques like spear-phishing, credential stuffing and password spraying in their tactics, techniques and procedures (TTPs) in order to obtain such email credentials.
The vulnerability was originally disclosed by Microsoft on 11 February 2020 through its monthly list of patches. The vulnerability only gained attention from threat actors on 25 February when the Zero Day Initiative (ZDI), a vulnerability broker and bug bounty platform, published a technical report on how the vulnerability works. Security researchers were able to detect scanning activity for CVE-2020-0688 in the following days, indicating that threat actors had started weaponizing Proof of Concept (PoC) code uploaded to Github to scan for vulnerable servers and exploit them. A Metasploit moduel was published soon after on 3 March, further contributing to lowering the bar for threat actors to exploit the vulnerability against affected organisations.
Due to the potential impact of compromising a Microsoft Exchange server allowing rapid lateral movement, Orpheus analysts had assessed that both nation-state actors and ransomware gangs were highly likely to exploit CVE-2020-0688 in order to infect corporate networks and devices. Past incidents indicating that both sets of actors have already targeted Microsoft Exchange servers using other vulnerabilities, such as CVE-2018-8581. March also saw reports that nation-state actors were exploiting CVE-2020-0688 to run system commands to conduct further reconnaissance, deploy backdoors for persistent access, and execute in-memory post-exploitation frameworks.
ZDI has also published research demonstrating that threat actors who control Microsoft Exchange servers would be able to target employees with internal phishing campaigns using legitimate corporate accounts, further enabling lateral movement and credential collection. Researchers also noted that employees with two-factor authentication (2FA) enabled posed challenges to threat actors exploiting the vulnerability, reiterating the effectiveness of the measure for mitigation against credential-based attacks.
We were able to further confirm through threat-intelligence sharing platforms that the vulnerability has been exploited in the wild by both nation-state actors such as Berserk Bear, Ocean Lotus, and other Russian and Chinese APTs to target organisations in the government, aviation and defence sectors. Indicators of Compromise (IOCs) also indicate that the vulnerability may have been leveraged by the Egregor ransomware strain, although there have been no public examples of this.
Cybercriminal interest in CVE-2020-0688 has also been high on dark web forums. The following post on a Russian-language dark web forum includes forum users discussing the vulnerability as a potential method for an internal phishing campaign, with one user disclosing access to a corporate user’s Outlook mailbox.
Figure 1: A post translated from the original Russian shows forum users discussing using CVE-2020-0688 for internal phishing campaigns
As a result of the severity and continued interest in CVE-2020-0688, we recommend organisations take the following steps to effectively mitigate against the vulnerability:
Enable 2FA by default on corporate mailboxes in order to prevent account takeover
Use custom firewall rules to block traffic containing a “_VIEWSTATE” query parameter for the Exchange Control Panel
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
