As part of their Patch Tuesday schedule, Microsoft recently released updates for a remote code execution vulnerability affecting Exchange 2010, 2013, 2016 and 2019 (CVE-2020-0688). Two weeks after a patch was released, Trend Micro’s Zero Day Initiative released a blog post with more even more details, including the conditions needed to exploit the vulnerability. According to the cybersecurity company Volexity, multiple APT actors have begun exploiting or attempting to exploit on-premise installations of Exchange servers. Volexity also stated that actors appeared to use previously stolen credentials in some of the attacks.
Binary Defense highly recommends following the security advisory published by Microsoft at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 to determine what patches should be installed. Exploit activity is possible to detect by searching Windows Event Logging under the Application Log. Filter logs for event type 4 errors from the “MSExchange Control Panel” source, then look for an extremely long string of Base64 encoded text following the “_VIEWSTATEGENERATOR” and “_VIEWSTATE” parameters in the URL recorded in the event details. Detection is also possible by reviewing Exchange log entries in the Internet Information Services (IIS) log and looking for unusual “VIEWSTATE” and “VIEWSTATEGENERATOR” parameters. Additional detection details can be found on the Volexity blog. The Binary Defense SOC continually monitors clients’ Security Incident and Event Management (SIEM) systems for a significant range of security events including attacks similar to this on a 24/7 basis.