A high-profile vulnerability recently disclosed in Microsoft Exchange is being exploited by state-level actors, warn security experts. Fortunately, there is a patch available.
Many associations rely on Microsoft Exchange as a fundamental part of the way they work, and if they do, they’re going to want to batten down the hatches.
A remote code execution #vulnerability (CVE-2020-0688) exists in Microsoft Exchange Server. If unpatched, an attacker with email credentials can execute commands on your server.
Mitigation Guidance available at: https://t.co/MMlBo8BsB0
— NSA/CSS (@NSAGov) March 7, 2020
This week, the National Security Agency spoke out on Twitter about a vulnerability that affects all versions of Microsoft Exchange Server between 2010 and 2019. The security issue allows for remote code to be executed on the widely used servers when users fail to properly create cryptographic install keys for the server during installation. Many users don’t, meaning that numerous Exchange servers are on the internet that are vulnerable to this oversight.
As BetaNews notes, IT security firm Volexity has warned that many companies had already seen their servers compromised, and while a patch has been released, many companies had not taken steps to apply the patch.
“Volexity has observed multiple [advanced persistent threat] actors exploiting or attempting to exploit on-premise Exchange servers,” the firm said on its blog. “In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use.”
Beyond patching, solutions to the problem recommended by the security firm include the use of two-factor authentication, which can slow down the attack, and putting access control list restrictions on the Exchange Control Panel virtual directories, which can prevent attackers from getting in.
The long-standing use and historic market position has made Exchange Server particularly vulnerable to attacks of this nature over the years, and this is not the only one. Microsoft has recently urged Exchange users to disable old protocols that had gained vulnerabilities over time, noting that the vulnerabilities had been exploited by ransomware or high-profile malware attacks such as WannaCry.