On February 11, 2020 a serious security vulnerability in Microsoft Exchange Servers was discovered and patched with CVE-2020-0688. The security flaw allows attackers to take over almost the entire Windows infrastructure with fairly simple means. All they need is access to the Exchange Control Panel interface and any valid username/password combination – no difficult task thanks to phishing, data leaks and password duplication.

The severity of the security vulnerability was rated 8.8 on the ten-part scale of the National Іnstitute of Standards and Technology. The first attacks by various APT groups started at the end of February. [1]

CERT.at identified and informed affected systems

In April 2020, two months after the release of the security update, the Austrian CERT.at searched for vulnerable systems – and found more than 4,500 unpatched Exchange servers throughout Austria (without claiming to be complete).

Despite a renewed information and warning to those affected, the situation does not look much better when CERT.at carried out a second test in October 2020. [2] Less than one percent may have been patched since then. The renewed test run with improved detection methods comes to a percentage of vulnerable servers of 47.99%. The older the version, the more vulnerable. According to the survey, Microsoft Exchange Server 2013 is affected by 54.52%, 2016 by 51.53%, 2019 “only” by 24.59%.

APT attacks “in the wild” for months

Otmar Lendl of GovCERT Austria knows: “Windows Small Business Servers in particular could be responsible for some of the still unpatched servers”. Support for the Windows Small Business Servers, which had not been further developed for years, ended on January 14, 2020. The security update came a few weeks too late for them. The only thing that helps here is to switch to an up-to-date, secure system. The end of support for Microsoft Office 2010 on October 13 is another good reason for this.

“APT attacks are not aimed exclusively at large companies or government organizations,” warns Benjamin Paar of IKARUS: “For the criminals, attacks on small companies are also worthwhile, for example to finance larger campaigns. In addition, companies that are less well protected often serve as a gateway to a larger target”.

Install updates or convert systems now

“We have contacted the operators of the vulnerable instances again and asked them to install the updates urgently”, Otmar Lendl sums up the latest scan of the Austrian CERT and recommends with a wink: “If you know people who use an Exchange Server, ask them about their update status at the next meeting!

However, in these days it is no longer enough to just apply patches to be safe from attacks. “The professionalism of ransomware attacks has increased massively in the last years. Companies have to defend themselves against attacks that four years ago were only thought to be carried out by nation states”, says Otmar Lendl: “It is not easy to react adequately. It requires a comprehensive security architecture with the corresponding processes. This is not free of charge, it requires money, time and suitable personnel – as well as a change in culture for all employees. Because security and efficiency are often not easy to reconcile”.

[1] https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/

[2] https://cert.at/de/aktuelles/2020/10/microsoft-exchange-cve-2020-0688-revisited