Multiple state-backed hacking groups are trying to exloit an RCE-vulnerability in Microsoft Exchange email servers that Microsoft has addressed last month as part of the February 2020 Patch Tuesday.

The vulnerability, tracked as CVE-2020-0688, affects the Exchange Control Panel (ECP) component and stems from the fact that Exchange Server fails to properly create unique cryptographic keys at the time of installation. This flaw allows a remote, authenticated attacker to execute arbitrary code with SYSTEM privileges on a server and fully compromise it.

An attacker could exploit a vulnerable Exchange server if the following three criteria were met:

1. The Exchange Server had not been patched since February 11, 2020.

2. The Exchange Control Panel (ECP) interface was accessible to the attacker.

3. The attacker has a working credential that allows them to access the Exchange Control Panel in order to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR value from a hidden field within the page source. The credential leveraged by the attacker does not need to be highly privileged or have ECP access.

The exploitation attempts were first detected by cybersecurity firm Volexity and later confirmed to ZDNet by the United States Department of Defense.

“Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability. Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach,” the cybersecurity firm said.

Nor Volexity, nor the DOD did not specify, which advanced persistent threats (APT) groups were behind the attacks.

As was previously reported, first scans for unpatched Microsoft Exchange servers have began at the end of February, shortly after a report on CVE-2020-0688 has appeared online. After this report, multiple proof-of-concept exploits surfaced on GitHub, followed by a new Metasploit module.