ESET Research has discovered that "more than ten different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers."
ESET's researchers have identified over 5,000 email servers that have been affected by malicious activity related to the incident.
We're told the servers belong to organisations – businesses and governments alike – from around the world, including high-profile ones. Thus, the threat is not limited to the widely reported Hafnium group.
There has been justifiable criticism that Microsoft bears some responsibility for all of this, and not just the hackers. iTWire first covered the news of the four Microsoft Exchange exploits back on March 3, 2021.
ESET reminds us that in early March, "Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities."
The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.
Matthieu Faou, who is leading ESET’s research effort into the recent Exchange vulnerability chain, said: "The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse.
"Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign. However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later."
ESET researchers also noticed that "some APT groups were exploiting the vulnerabilities even before the patches were released."
“This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,” adds Faou.
ESET reports its "telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries."
ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organisation.
The identified threat groups and behaviour clusters are: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen and DLTMiner.
“It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” Faou concluded.