Microsoft Exchange Servers Face APT Attack Tsunami

At least 10 nation-state-backed groups are using the ProxyLogon exploit chain to compromise email servers, as compromises mount.

Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.

Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.

And indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.

Microsoft was spurred to release out-of-band patches for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Rapidly Spreading Email Server Attacks

Microsoft said last week that the attacks were “limited and targeted.” But that’s certainly no longer the case. Other security companies have continued to say they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.

ESET researchers had confirmed this as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.

“On Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,” according to the writeup. “This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.

This activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen “scanning and compromising Exchange servers en masse,” according to ESET.

“We have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, several important organizations, such as the European Banking Authority, suffered from this attack,” according to the ESET report.

It also appears that threat groups are piggybacking on each other’s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.

“We cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,” said ESET researchers. “Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.”

Zero-Day Activity Targeting Microsoft Exchange Bugs

ESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.

For instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.

“We then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,” ESET researchers said. “Its main objective seems to be intellectual property and classified information theft.”

NOTE:: This article is copyright by and we are using it for educational or Information purpose only

Best eMail Security Products & Solutions