Microsoft has over 1.2 billion users worldwide and that makes it a lucrative target for cyber criminals.
Volexity, a US-based cybersecurity firm has revealed that some state-sponsored hackers are trying to exploit a vulnerability in Microsoft Exchange email servers, which Microsoft already patched in February.
Classified as CVE-2020-0688; the vulnerability is exploited by state-backed APT (advanced persistent threat) hacking groups.
See: 250 million Microsoft customer support records leaked in plain text
The vulnerability was identified by an unnamed security researcher, and Microsoft was informed through the Zero Day Initiative by Trend Micro. The cybersecurity firm claims that more than one threat actors are involved in the exploitation of the Exchange server.
After Microsoft released security updates, a blog post was published by the Zero Day Initiative, around two weeks later. The post revealed in-depth details about the vulnerability, clearly stating that attackers can exploit the Exchange server only,
“If the Exchange Server had not been patched since February 11, 2020; The Exchange Control Panel (ECP) interface was accessible to the attacker and the attacker has a working credential that allows them to access the Exchange Control Panel in order to collect the ViewState Key.”
According to Volexity’s blog post, it is possible that hackers have been waiting to utilize available credentials that otherwise are of no use. Security researchers assessed that the vulnerability lets the attackers access any sensitive asset of an organization using an old service account or simply any available user credentials. This is why cybersecurity firms stress so much on changing passwords periodically and employing two-factor authentication to limit the credentials stealing ability of an attacker.
See: Microsoft pwns domains used by hackers for large-scale cyber attacks
However, Microsoft is now planning to implement multi-factor authentication for protecting enterprise systems, and to safeguard the user credentials. The problem is that despite deploying MFA, it is still possible to compromise the system using any basic credentials. This means, even if the vulnerability has been fixed, the server isn’t yet secure unless you have patched it.
Update: According to Zak Doffman of Forbes, Volexity’s has confirmed that the hackers exploiting this vulnerability are based out of China.