Security News > 2020 > March > Microsoft Exchange Server Flaw Exploited in APT Attacks
Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn.
After Microsoft patched the flaw in February researchers with the Zero Day Initiative, which first reported the vulnerability, published further details of the flaw and how it could be exploited.
The vulnerability exists in the Exchange Control Panel, a web-based management interface for administrators, introduced in Exchange Server 2010.
According to ZDI, an attacker could exploit a vulnerable Exchange server if it was unpatched, if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.
After technical details of the flaw were disclosed, researchers said they observed multiple APT groups attempting to brute force credentials by leveraging Exchange Web Services, which they said was likely an effort to exploit this vulnerability.
News URL
https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/
Related news
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)
- SideWinder APT Strikes Middle East and Africa With Stealthy Multi-Stage Attack (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)