Security Market Segment LS
Thursday, 11 March 2021 14:11

ESET discovers 'thousands' of Exchange servers under siege - PATCH NOW!

Click to enlarge Click to enlarge

The number of APT groups "exploiting the latest Exchange vulnerabilities grows, with thousands of email servers under siege" according to security company ESET.

ESET Research has discovered that "more than ten different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers."

ESET's researchers have identified over 5,000 email servers that have been affected by malicious activity related to the incident.

We're told the servers belong to organisations – businesses and governments alike – from around the world, including high-profile ones. Thus, the threat is not limited to the widely reported Hafnium group.

There has been justifiable criticism that Microsoft bears some responsibility for all of this, and not just the hackers. iTWire first covered the news of the four Microsoft Exchange exploits back on March 3, 2021. 

ESET reminds us that in early March, "Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities."

The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.

Matthieu Faou, who is leading ESET’s research effort into the recent Exchange vulnerability chain, said: "The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse.

"Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign. However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later."

ESET researchers also noticed that "some APT groups were exploiting the vulnerabilities even before the patches were released."

“This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,” adds Faou.

ESET reports its "telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries."

ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organisation.

The identified threat groups and behaviour clusters are: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen and DLTMiner.

“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” Faou concluded.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News