A dangerous gap against which patches have been available since February and which is already being used for attacks – and yet, in Germany alone, around 40,000 systems are still vulnerable.000 systems are still vulnerable. Not just any systems. It is about Exchange servers. These are the communication centers of companies, through which almost everything is handled: E-mail, calendars, contacts. Nevertheless, many administrators apparently do not care about their security.
As the BSI has now also warned, there are around 40,000.000 Exchange servers in Germany that are vulnerable to the CVE-2020-0688 vulnerability. It makes it possible to completely take over the system via the network. More than half of all administrators of Exchange servers with a web interface directly accessible from the Internet thus rely on the Saint Florian principle ("Spare my house, feed the others!").
Since yesterday, Tuesday, the BSI therefore informs. In addition, the security agency’s IT threat assessment on "3" set. Meaning: "The IT threat is business critical. Massive disruption to regular operations"
Only a matter of time
The situation should not be overdramatized. To successfully take over the Exchange server, the attacker already needs valid access data to an Exchange account. But this hurdle is not particularly high. All it takes is one malware-infected computer or one careless user falling for a phishing email. Quite apart from the fact that the Emotet gang, for example, has already hoarded plenty of access data. The CERT-Bund therefore rightly rates the risk as "Very high" a.
To make matters worse, the Exchange server is very tightly coupled to the Active Directory, often without sufficient security. An attacker can "Depending on the system environment, the compromise of an Exchange server can quickly lead to the possession of doman administrator credentials" BSI states in its security warning about the Exchange leaks and advises to update affected servers as soon as possible.
If Rapid7 and BSI can identify the servers involved, cybercrime gangs shouldn’t have a problem. They could then target the affected companies and organizations. It’s not a question of if, but only when there will be massive IT problems there.