SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Microsoft
#
CIOs
#
Cyber attacks
ESET reveals APT groups exploiting Microsoft Exchange vulnerabilities
Tue, 16th Mar 2021
FYI, this story is more than a year old
Author image
By Catherine Knowles, Journalist
Follow us

A number of advanced persistent threat (APT) groups are exploiting the latest Microsoft Exchange vulnerabilities, according to new ESET research.

In fact, ESET Research has discovered that more than ten different APT groups are exploiting Exchange vulnerabilities to compromise email servers.

The researchers have identified more than 5,000 email servers that have been affected by malicious activity related to the incident.

The servers belong to organisations, businesses and governments alike from around the world, including high-profile names. Therefore, the threat is not limited to the widely reported Hafnium group, ESET states.

In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities.

The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable, according to ESET.

To date, ESET telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries.

Furthermore, ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims email servers.

In some cases, several threat actors were targeting the same organisation.

The identified threat groups and behaviour clusters are: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen and DLTMiner.

Matthieu Faou, who is leading ESET's research effort into the recent Exchange vulnerability chain, says, “The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse.

"Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign.

"However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later, says ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released.

"This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates.

Faou says, “It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched.

"In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.

"The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet.

Related stories
Wavelink partners with Orca Security to enhance cloud security
BeyondTrust's 2024 report reveals top Microsoft vulnerabilities
Former Google Cloud VP Jeff Reed joins Vectra AI as Chief Product Officer
Coalition integrates cyber risk platform with top cloud services providers
Trustifi launches innovative phishing detection training for MSPs
Top stories
Telegram users targeted in cryptocurrency scam, Kaspersky reports
AI scams prompt need for advanced fraud-detection technologies
ServiceSeeking joins ConnectID for enhanced online security for SMEs
BeyondTrust lauded as a leader in Identity Threat Detection
Cradlepoint launches rapid-deploy secure network solution NetCloud SASE