An investigation carried out by cybersecurity firm Rapid7 indicated that over 82% of public-facing Exchange servers remained vulnerable and had not yet had their patches applied. The firm’s scan showed up 433,464 publicly-accessible Exchange servers, and at least 357,629 were vulnerable to an attack exploiting the CVE-2020-0688 flaw.
Many proof-of-concept exploits for the flaw have been made available on GitHub, and there have been reports of nation state Advanced Persistent Threat groups planning to exploit the flaw using brute force tactics to obtain credentials and credentials obtained in previous data breaches.
If the flaw is successfully targeted, hackers would be able to gain access to Exchange Servers and compromise the complete Exchange environment. That would allow them to obtain all emails, create new email accounts, falsify messages, and remotely execute code on impacted servers with SYSTEM privileges.
Microsoft previously said there are no mitigations or workarounds that can be configured to obstruct exploitation. The only way to hinder the flaw from being leveraged is to ensure the patch is applied on all susceptible servers.
Since attacks are known to have taken place, in addition to applying the patch, administrators should also see if attacks have already been carried out and have been successful.
Rapid7 recommends Exchange administrators should examine Windows Event and IIS logs for signs of a hack. Any email accounts that have been infiltrated and used in attacks on Exchange servers will leave traces of the exploit code in log files.
Along with locating a worrying number of Exchange servers susceptible to the CVE-2020-0688 vulnerability, the researchers also found a worrying amount of Exchange servers were missing several updates for other critical flaws. The experts found 31,000 Exchange servers that had not received an update since 2012 and 800 Exchange servers that had never been updated.
Rapid7 remarked: “The exploit attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account as well as a very long error message that includes the text Invalid viewstate. What you are seeing is portions of the encoded payload. You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR.”
From this October, Microsoft will be discontinuing support for Exchange 2010 and it is worrisome there are still 166,000 public-facing Exchange servers still operating Exchange 2010 so close to the end of support date.