16 Mar 2021
Story image

ESET reveals APT groups exploiting Microsoft Exchange vulnerabilities

By Catherine Knowles

A number of advanced persistent threat (APT) groups are exploiting the latest Microsoft Exchange vulnerabilities, according to new ESET research.

In fact, ESET Research has discovered that more than ten different APT groups are exploiting Exchange vulnerabilities to compromise email servers.

The researchers have identified more than 5,000 email servers that have been affected by malicious activity related to the incident.

The servers belong to organisations, businesses and governments alike from around the world, including high-profile names. Therefore, the threat is not limited to the widely reported Hafnium group, ESET states.

In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019 that fix a series of pre-authentication remote code execution (RCE) vulnerabilities.

The vulnerabilities allow an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable, according to ESET.

To date, ESET telemetry flagged the presence of webshells (malicious programs or scripts that allow remote control of a server via a web browser) on more than 5,000 unique servers in over 115 countries.

Furthermore, ESET has identified more than ten different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims email servers.

In some cases, several threat actors were targeting the same organisation.

The identified threat groups and behaviour clusters are: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The "Opera" Cobalt Strike, IIS backdoors, Mikroceen and DLTMiner.

Matthieu Faou, who is leading ESET's research effort into the recent Exchange vulnerability chain, says, “The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse.

"Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign.

"However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later, says ESET researchers noticed that some APT groups were exploiting the vulnerabilities even before the patches were released.

"This means we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates.”

Faou says, “It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched.

"In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.

"The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet.”

Recent stories
More stories