Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Multiple Cyberspy Groups Target Microsoft Exchange Servers via Zero-Day Flaws

Security researchers warn that multiple cyber-espionage groups are targeting the recently addressed zero-day vulnerabilities in Microsoft Exchange Server and say that more than 300 web shells have been identified on the compromised servers.

Security researchers warn that multiple cyber-espionage groups are targeting the recently addressed zero-day vulnerabilities in Microsoft Exchange Server and say that more than 300 web shells have been identified on the compromised servers.

The issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which Microsoft addressed this week, were being abused as part of an attack chain that allowed for the execution of arbitrary code, remotely.

Microsoft said that state-sponsored Chinese hacking group HAFNIUM has been exploiting the vulnerabilities “in limited targeted attacks,” but new details shared by various security firms suggest broader targeting.

“ESET telemetry shows that (at least) CVE-2021-26855 is actively exploited in the wild by several cyber-espionage groups. Among them, we identified LuckyMouse, Tick, Calypso and a few additional yet-unclassified clusters,” ESET said on Twitter.

The company also revealed that, while most of the targets are located in the United States, attacks against servers in Europe, Asia and the Middle East have been identified as well. The assaults were aimed at government organizations, law firms, medical facilities, and private companies.

Organizations can determine whether they might have been compromised by looking in C:inetpubwwwrootaspnet_clientsystem_web for aspx files with names such as shell, supp0rt, aspnet, aspnet_client, and others, or for random filenames in the system_web subdirectory.

Managed detection and response (MDR) solutions provider Huntress says it has already observed more than 200 compromised Exchange Servers that received payloads within the “C:inetpubwwwrootaspnet_clientsystem_web” directory, and claims to have identified more than 350 web shells to date.

An analysis of approximately 2,000 Exchange servers has revealed that roughly 400 of them were vulnerable, with an additional 100 potentially vulnerable, Huntress reveals.

Advertisement. Scroll to continue reading.

The targeted organizations, the security firm says, include “small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses. We’ve also witnessed many city and county government victims, healthcare providers, banks/financial institutions, and several residential electricity providers.”

The large number of identified web shells, Huntress points out, suggests that multiple uncoordinated actors might have been involved in exploitation, or that automated deployment tools were used. The attacks were also able to bypass installed antivirus and EDR solutions.

“These attacks are grave due to the fact that every organization simply has to have email, and Microsoft Exchange is so widely used. These servers are typically publicly accessible on the open internet and they can be exploited remotely. These vulnerabilities can be leveraged to gain remote code execution and fully compromise the target,” Huntress also notes.

Given the critical nature of these vulnerabilities, organizations are advised to apply the available patches as soon as possible.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on these vulnerabilities, and the Department of Homeland Security (DHS) has issued an emergency directive requiring agencies to look for indicators of compromise (IOCs) and either perform forensic investigations where compromise has been identified or apply the available patches where no IOCs were found.

Related: Microsoft Patches Critical SharePoint, Exchange Security Holes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...