Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

On March 2, Microsoft announced patches for four bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were part of a pre-authentication remote code execution (RCE) attack chain already being exploited in the wild.

Successful exploitation of the bugs could result in the attacker deploying webshells onto the vulnerable Exchange servers, potentially taking full control of them. To date, ESET has identified more than 5,000 compromised servers, but others previously reported that tens of thousands of organizations may have been hacked.

Last week, Microsoft said that the flaws were being exploited by Chinese hacking group HAFNIUM, but security researchers were quick to report that several cyber-espionage groups were already targeting the vulnerable Exchange servers.

Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick (also known as Bronze Butler), LuckyMouse (also tracked as APT27), Calypso, Websiic, Winnti Group (BARIUM, APT41), Tonto Team (CactusPete), ShadowPad, Mikroceen, and DLTMiner. Activity involving the “Opera” Cobalt Strike and IIS backdoors was also observed.

“On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch,” ESET notes.

Immediately after the patches were released, the researchers noticed a spike in attacks, with adversaries “scanning and compromising Exchange servers en masse.” Overall, more than 10 different threat actors are currently abusing the RCE exploit chain to install implants on vulnerable servers.

“Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization,” ESET says.

Advertisement. Scroll to continue reading.

Targeted organizations include governmental entities, IT services providers and other private companies (IT, telecommunications, engineering, oil, construction equipment, procurement, cybersecurity consulting, software development, and utility).

“Our ongoing research shows that […] multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” ESET notes.

The targeted entities are located in the US, Germany, the UK and other European countries (including some located in Eastern Europe), Asia, South America, Africa, and the Middle East.

According to Reuters, at least “60,000 computer systems in Germany” were exposed to the Exchange zero-day flaws. Norway’s parliament, the Storting, was affected by these attacks as well. With proof-of-concept code published online, the number of attacks will only increase.

On Wednesday, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on the compromise of Exchange servers, noting that both state-sponsored actors and cybercriminals are targeting the zero-day flaws.

The attacks could result in adversaries gaining access to and control of enterprise networks, the two agencies warn, adding that tens of thousands of systems in the United States — containing research, personally identifiable information (PII), technology data, and other sensitive information — are potentially at risk.

“Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” the advisory reads.

The FBI and CISA also note that threat actors will continue to exploit these issues, looking to compromise networks and exfiltrate data, encrypt data for ransom, sell access to the compromised networks, or even launch destructive attacks on the vulnerable systems.

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...