- Key takeaways from IBM Think partner event
- 'End of 10' offers hope and help to Windows 10 users who can't upgrade
- Is your Microsoft account passwordless yet? Why it (probably) should be and how to do it right
- Reddit turns 20: Its incredible journey from scrappy startup to 'the heart of the internet'
- Cloud-Delivered Security Landing in China
ESET: More Than 10 APT Groups Exploiting Recent Microsoft Exchange Vulnerabilities
There are more than 10 different advanced persistent threat (APT) groups exploiting recent Microsoft Exchange vulnerabilities, according to ESET research.
Last week, Microsoft released out-of-band patches to fix multiple zero-day vulnerabilities believed to be being exploited by Chinese state-sponsored group Hafnium. The step was taken to protect customers running on-premises versions of Microsoft Exchange Server.
However, today (March 10), ESET claimed the number of APT groups exploiting the vulnerabilities is believed to be in double-figures, identifying more than 5000 global email servers – belonging to businesses and governments alike – that have been affected by related malicious activity.
“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,” said ESET researcher Matthieu Faou. “Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign.
“However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,” he added.
What’s more, the ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released, dismissing the possibility that the groups built exploits by reverse engineering Microsoft updates.
The threat groups/behavior clusters identified by ESET are:
- Tick
- LuckyMouse
- Calypso
- Websiic
- Winnti Group
- Tonto Team
- ShadowPad activity
- The “Opera” Cobalt Strike
- IIS backdoors
- Mikroceen
- DLTMiner
“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” concluded Faou.
