9:30am, 10 March 2020
TLP Rating:
Vulnerability in Exchange Server actively exploited
Attackers are exploiting the vulnerability (CVE-2020-0688) to execute commands on Exchange Control Panel (ECP). This allows highly privileged access to an organisation’s email servers by using the credentials of any domain user with a mailbox on the Exchange server.
What's happening
Systems affected
All versions of Microsoft Exchange Server are affected.
This attack requires network access to the ECP valid set of Exchange credentials. Note that all that is required is a Domain User account, not an Exchange Admin.
What this means
Attackers are able to send specially crafted requests to the ECP, which will run commands in the Exchange Server context (SYSTEM).
This means an attacker can gain full control of the server, and the information it contains.
What to look for
How to tell if you're at risk
If you run an on-premise installation of Microsoft Exchange Server, and have not applied the February 2020 security updates, you’re at risk.
How to tell if you're affected
- IIS access log entries containing __VIEWSTATE GET parameters
- Presence of unusual child processes for the IIS worker process (w3wp.exe)
- Presence of ECP ServerException logs containing “The serialised data is invalid”
What to do
Prevention
CERT NZ recommends you apply the February 2020 security updates immediately.
These controls can be implemented to make exploitation more difficult:
- Restrict network access to the ECP.
- Enable MFA on the Exchange Server.
More information
For more information, see:
- The technical analysis by The Zero Day Initiative External Link
- Microsoft's advisory on CVE-2020-0688 External Link
- Volexity's blog on the current exploitation, as well as indicators of compromise External Link
If you experience any of these indicators of compromise, or aren't sure, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.