After a survey by rapid7, there are 350,000 Microsoft Exchange Servers exposed on the Internet that are vulnerable to post-auth remote code execution vulnerability CVE-2020-0688, affecting all the Microsoft exchange server.
The vulnerability was present in the Exchange Control Panel( ECP) that comes on by default allows attackers to take control over vulnerable Microsoft Exchange servers.
On February Microsoft has patched a critical RCE flaw in the February update. On March 4, Microsoft one of the well-known cybersecurity firm Rapid7 has added a new MS Exchange RCE module in its Metasploit framework with multiple proofs-of-concept with the proof of Concept on Github with exploits.
80% of the Servers Not Patched
On March 24, Rapid7 cybersecurity firm started a survey with their Project Sonar and they found that approx 357,629 (82.5%) were vulnerable to CVE-2020-0688 of 433,464 that were scanned.
They also found that not just servers missing the CVE-2020-0688 there were about 31,000 Exchange 2010 Servers that has not been patched from 2012.
There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromiseRapid7 Labs senior manager Tom Sellers
Patch and Check for Compromise for CVE-2020-0688
Compromised Exchange Servers can be checked by viewing the Windows Event and IIS logs.
User accounts compromised and used in attacks against Exchange servers can be discovered by checking Windows Event and IIS logs for portions of encoded payloads including either the “Invalid viewstate” text or the __VIEWSTATE and __VIEWSTATEGENERATOR string for requests to a path under /ecp.Beeping Computers.
But the most important step is applying the patch for the CVE-2020-0688. The most reliable method to apply the patch is checking it with patch management software.