• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Report: At Least 10 Organized Hacking Groups Exploiting Exchange Server Vulnerabilities

Hacking groups are capitalizing on the vulnerabilities in Microsoft Exchange Server first exploited by an alleged Chinese threat actor.

March 11, 2021 Zachary Comeau Leave a Comment

Microsoft January Patch Tuesday
wolterke/stock.adobe.com

According to cybersecurity firm ESET, at least 10 sophisticated hacking groups are leveraging the four Microsoft Exchange Server vulnerabilities exploited by alleged Chinese hackers to compromise email servers on their own.

This illustrates the importance to update and patch systems immediately, the Sovak company said in a Wednesday blog post.

The company conducted its own investigation and published its research on the vulnerabilities and hacking campaign allegedly carried out by a malicious Chinese group that exploits four soft points in on-premises versions of Microsoft Exchange Server, which facilitates access to email accounts and allowed installation of additional malware for long-term access.

The number of victims has yet to be disclosed, but reports suggest that at least 30,000 organizations have been compromised, with sectors including government, defense, corporate, health care and higher education.

The group, which Microsoft calls Hafnium, first gains access to an Exchange Server either with stolen passwords or by using the vulnerabilities to disguise itself as a legitimate user. Then, the group creates web shells to control the compromised server remotely. Lastly, it uses that remote access from U.S.-based private servers to steal data.

However, it’s not just Hafnium exploiting these vulnerabilities, according to ESET, which says it has identified more than 10 different threat actors “that likely leveraged the recent Microsoft Exchange RCE in order to install implants on victims’ email servers.”

Our analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files, which is a specific technique used in the exploitation of the RCE vulnerability and has already been detailed in a Unit 42 blogpost. Unfortunately, we cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit.

Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.

According to ESET, victims of these 10 hacking groups include a range of government entities, private companies, software developers, cybersecurity firms and other email servers in in the U.S., Europe, Asia and the Middle East.

If vulnerable organizations haven’t yet applied Microsoft’s patch, they need to do so immediately, according to ESET.

It is now clearly beyond prime time to patch all Exchange servers as soon as possible (see Microsoft guidance and apply special care in following the steps in the “About installation of these updates” section). Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.

In case of compromise, one should remove webshells, change credentials and investigate for any additional malicious activity.

Finally, this is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet since, in case of mass exploitation, it is very hard, if not impossible, to patch in time.

Some groups have even been using the vulnerabilities before they were made public when Microsoft disclosed the attacks and released the patch. What’s unclear, however, is how these different hacking groups were made aware of the vulnerabilities.

Some may be reverse engineering the patch, while others may be recipients of information from Hafnium or other groups.

Look for indicators of compromise and patch now.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft, Microsoft Exchange Server

Related Content:

  • VuWall Enhances Operational Efficiency for SIMOS Control Center
  • Sony Projector Firmware Sony’s Latest Firmware Update Supports 21:9 Ultra-Wide Aspect…
  • IT Businessman makes an addition to process to increase its effectiveness. Changes system parameters for high productivity. Integration of improvements, updates and upgrades Now’s The Time to Focus on IT Productivity
  • AI Automation burnout What is It About AI That Brings Excitement,…

Free downloadable guide you may like:

  • Creating Great User Experience and Ultimate Flexibility with Clickshare

    Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When designing the office spaces – and meeting spaces in particular – enabling that connection between co-workers is crucial. Introducing the right collaboration technology in meeting spaces is the biggest challenge for IT managers […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Advertise with Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSDO NOT SELL MY PERSONAL INFORMATIONTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.