Threat actors are currently performing mass-scans of the internet in search of Microsoft Exchange servers vulnerable to the CVE-2020-0688 security bug, the security researchers at Bad Packets have warned.

A patch to fix this remote code execution (RCE) vulnerability was released by Microsoft on 11th February, although it still remains unpatched on hundreds of thousands of Exchange servers, as per security experts.

The CVE-2020-0688 flaw impacts the Exchange Control Panel (ECP) web application of Microsoft Exchange Server software and could enable hackers to take control of unpatched machines by using a previously stolen Exchange user account.

The flaw arises when Exchange server fails to generate a unique cryptographic key at installation, resulting in deserialisation of untrusted data. A successful exploitation of the flaw enables attackers to remotely run arbitrary code with system-level privileges.

It also becomes possible for threat actors sometimes to compromise the entire Exchange environment—including email—as well as all of Active Directory.

Many threat groups prefer to attack email servers, such as Exchange, which enables them to read all of the communications and plans of an organisation.

The vulnerability was discovered by an anonymous security researcher, who reported it to Microsoft via Trend Micro’s Zero Day Initiative. Microsoft then released a security update that fixed how cryptographic keys are generated for Microsoft Exchange Server 2010, 2013, 2016 and 2019.

The company also tagged the bug with an “Exploitation More Likely” assessment, indicating that it could be an attractive target for hackers.

Earlier this month, researchers at cyber security firm Rapid7 warned in a report that nearly 83 per cent of the Microsoft Exchange Servers exposed on the internet are still vulnerable to the CVE-2020-0688 RCE bug.

Rapid7 team used the Project Sonar tool in March to compile a list of all internet-facing Exchange servers that were still unpatched against the CVE-2020-0688 flaw. They discovered that 357,629 servers out of 433,464 were running an unpatched version of Microsoft Exchange software as on 24th March 2020.

The team also found that over 31,000 Exchange 2010 servers had not received any update since 2012.

Approximately 800 Exchange 2010 servers were also uncovered that had never been updated by their system administrators.

Security researchers fear that in coming days the CVE-2020-0688 bug could become a favourite target for ransomware operators and APT attackers who would use it to read private emails.

“The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled,” Rapid7 Labs senior manager Tom Sellers explained in an online post.

“This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).”

He also advised admins to check for signs of compromise on their machines. Because hackers need valid user credentials for at least one email account on the Exchange server, any account tied to attempted exploitation should be considered as compromised, Sellers noted.