Security Experts:

Connect with us

Hi, what are you looking for?



At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

On March 2, Microsoft announced patches for four bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were part of a pre-authentication remote code execution (RCE) attack chain already being exploited in the wild.

Successful exploitation of the bugs could result in the attacker deploying webshells onto the vulnerable Exchange servers, potentially taking full control of them. To date, ESET has identified more than 5,000 compromised servers, but others previously reported that tens of thousands of organizations may have been hacked.

Last week, Microsoft said that the flaws were being exploited by Chinese hacking group HAFNIUM, but security researchers were quick to report that several cyber-espionage groups were already targeting the vulnerable Exchange servers.

Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick (also known as Bronze Butler), LuckyMouse (also tracked as APT27), Calypso, Websiic, Winnti Group (BARIUM, APT41), Tonto Team (CactusPete), ShadowPad, Mikroceen, and DLTMiner. Activity involving the “Opera” Cobalt Strike and IIS backdoors was also observed.

“On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch,” ESET notes.

Immediately after the patches were released, the researchers noticed a spike in attacks, with adversaries “scanning and compromising Exchange servers en masse.” Overall, more than 10 different threat actors are currently abusing the RCE exploit chain to install implants on vulnerable servers.

“Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization,” ESET says.

Targeted organizations include governmental entities, IT services providers and other private companies (IT, telecommunications, engineering, oil, construction equipment, procurement, cybersecurity consulting, software development, and utility).

“Our ongoing research shows that […] multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” ESET notes.

The targeted entities are located in the US, Germany, the UK and other European countries (including some located in Eastern Europe), Asia, South America, Africa, and the Middle East.

According to Reuters, at least “60,000 computer systems in Germany” were exposed to the Exchange zero-day flaws. Norway’s parliament, the Storting, was affected by these attacks as well. With proof-of-concept code published online, the number of attacks will only increase.

On Wednesday, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on the compromise of Exchange servers, noting that both state-sponsored actors and cybercriminals are targeting the zero-day flaws.

The attacks could result in adversaries gaining access to and control of enterprise networks, the two agencies warn, adding that tens of thousands of systems in the United States — containing research, personally identifiable information (PII), technology data, and other sensitive information — are potentially at risk.

“Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” the advisory reads.

The FBI and CISA also note that threat actors will continue to exploit these issues, looking to compromise networks and exfiltrate data, encrypt data for ransom, sell access to the compromised networks, or even launch destructive attacks on the vulnerable systems.

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.