Credit Microsoft Security |
PARCA eNews – June 24, 2020 – Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688.
Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups according to HIPAA Journal.
Microsoft says a security update that fixes this vulnerability has been available for several months, but attackers are still finding vulnerable servers to target.
In many cases, after attackers gain access to an Exchange server they deploy web shells into one of the many web accessible paths on the server. Multiple threat actors, including ZINC, KRYPTON, and GALLIUM, have been observed using web shells in their campaigns.
An analysis of attacks conducted in April showed APT groups use these web shells, to run exploratory commands and perform reconnaissance. They also uses EternalBlue to identify other machines on the network to attack.
If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.
Sources: HIPAA Journal and Microsoft Defender ATP Research Team
Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups according to HIPAA Journal.
Microsoft says a security update that fixes this vulnerability has been available for several months, but attackers are still finding vulnerable servers to target.
In many cases, after attackers gain access to an Exchange server they deploy web shells into one of the many web accessible paths on the server. Multiple threat actors, including ZINC, KRYPTON, and GALLIUM, have been observed using web shells in their campaigns.
An analysis of attacks conducted in April showed APT groups use these web shells, to run exploratory commands and perform reconnaissance. They also uses EternalBlue to identify other machines on the network to attack.
If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.
Sources: HIPAA Journal and Microsoft Defender ATP Research Team
No comments:
Post a Comment