More Than 10 APT Groups Exploiting Recent Microsoft Exchange Vulnerabilities

Written by

There are more than 10 different advanced persistent threat (APT) groups exploiting recent Microsoft Exchange vulnerabilities, according to ESET research.

Last week, Microsoft released out-of-band patches to fix multiple zero-day vulnerabilities believed to be being exploited by Chinese state-sponsored group Hafnium. The step was taken to protect customers running on-premises versions of Microsoft Exchange Server.

However, today (March 10), ESET claimed the number of APT groups exploiting the vulnerabilities is believed to be in double-figures, identifying more than 5000 global email servers – belonging to businesses and governments alike – that have been affected by related malicious activity.

“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,” said ESET researcher Matthieu Faou. “Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign.

“However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” he added.

What’s more, the ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released, dismissing the possibility that the groups built exploits by reverse engineering Microsoft updates.

The threat groups/behavior clusters identified by ESET are:

  • Tick
  • LuckyMouse
  • Calypso
  • Websiic
  • Winnti Group
  • Tonto Team
  • ShadowPad activity
  • The “Opera” Cobalt Strike
  • IIS backdoors
  • Mikroceen
  • DLTMiner

“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” concluded Faou.

What’s hot on Infosecurity Magazine?