Over 10 different threat groups exploit Microsoft mail server flaws, researchers say

(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)

Microsoft Exchange Server vulnerabilities are being exploited by more than 10 different advanced persistent threat (APT) groups to compromise email servers of various organisations, according to researchers at cybersecurity firm ESET.

The anti-virus software maker said threat actors potentially used Microsoft’s mail server flaws to install malware like web shells and gain backdoor entry into victims’ email servers. It has identified the presence of web shells on more than 5,000 unique servers in over 115 countries, the company said in a release.

The servers belong to private and public enterprises located around the world, it added. ESET noted that in certain instances, several threat actors were targeting the same organisation.

Most recently, the Federal Office for Information Security (BSI) stated that at least 60,000 of its computer systems in Germany were exposed to a Microsoft mail server flaw.

The web shells deployed by the hackers are usually small pieces of malicious codes that allow them to run commands on servers to steal data or use the server to launch other activities, while allowing attackers to persist in an affected organisation, Microsoft explained in a blog post.

Microsoft had released patches to fix Exchange Server vulnerability in 2013, 2016 and 2019 versions, last week, and urged its customers to apply them immediately. The company noted that the patch works only on devices that haven’t been compromised.

Also Read | U.S. hearing on tech dominance of news outlets will include Microsoft

“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,” Matthieu Faou, Malware Researcher at ESET, said in a release. “Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign.”

When Microsoft initially detected multiple zero-day exploits, the technology company attributed the campaign with high-confidence to Hafnium, a Chinese state-sponsored group.

But, ESET’s analysis shows that “the threat is not limited to the widely reported Hafnium group.”

The identified threat groups and behaviour clusters include Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The “Opera” Cobalt Strike, IIS backdoors, Mikroceen, and DLTMiner, according to ESET. Some APT groups were exploiting the vulnerabilities even before the patches were released, the cybersecurity firm said.

Also Read | White House says Microsoft email hackers have ‘large number of victims’

“Even those [Exchange servers] not directly exposed to the internet should be patched. In case of compromise, admins should remove the web shells, change credentials and investigate for any additional malicious activity,” Faou said.