At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET.

On March 2, Microsoft announced patches for four bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that were part of a pre-authentication remote code execution (RCE) attack chain already being exploited in the wild.

Successful exploitation of the bugs could result in the attacker deploying webshells onto the vulnerable Exchange servers, potentially taking full control of them. To date, ESET has identified more than 5,000 compromised servers, but others previously reported that tens of thousands of organizations may have been hacked.

Last week, Microsoft said that the flaws were being exploited by Chinese hacking group HAFNIUM, but security researchers were quick to report that several cyber-espionage groups were already targeting the vulnerable Exchange servers.

Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick (also known as Bronze Butler), LuckyMouse (also tracked as APT27), Calypso, Websiic, Winnti Group (BARIUM, APT41), Tonto Team (CactusPete), ShadowPad, Mikroceen, and DLTMiner. Activity involving the “Opera” Cobalt Strike and IIS backdoors was also observed.

“On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch,” ESET notes.

Immediately after the patches were released, the researchers noticed a spike in attacks, with adversaries “scanning and compromising Exchange servers en masse.” Overall, more than 10 different threat actors are currently abusing the RCE exploit chain to install implants on vulnerable servers.

“Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization,” ESET says.

Targeted organizations include governmental entities, IT services providers and other private companies (IT, telecommunications, engineering, oil, construction equipment, procurement, cybersecurity consulting, software development, and utility).

“Our ongoing research shows that […] multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” ESET notes.

The targeted entities are located in the US, Germany, the UK and other European countries (including some located in Eastern Europe), Asia, South America, Africa, and the Middle East.

According to Reuters, at least “60,000 computer systems in Germany” were exposed to the Exchange zero-day flaws. Norway’s parliament, the Storting, was affected by these attacks as well. With proof-of-concept code published online, the number of attacks will only increase.

On Wednesday, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on the compromise of Exchange servers, noting that both state-sponsored actors and cybercriminals are targeting the zero-day flaws.

The attacks could result in adversaries gaining access to and control of enterprise networks, the two agencies warn, adding that tens of thousands of systems in the United States — containing research, personally identifiable information (PII), technology data, and other sensitive information — are potentially at risk.

“Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical,” the advisory reads.

The FBI and CISA also note that threat actors will continue to exploit these issues, looking to compromise networks and exfiltrate data, encrypt data for ransom, sell access to the compromised networks, or even launch destructive attacks on the vulnerable systems.

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags: