• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Report: At Least 10 Organized Hacking Groups Exploiting Exchange Server Vulnerabilities

Hacking groups are capitalizing on the vulnerabilities in Microsoft Exchange Server first exploited by an alleged Chinese threat actor.

March 11, 2021 Zachary Comeau Leave a Comment

Microsoft January Patch Tuesday
wolterke/stock.adobe.com

According to cybersecurity firm ESET, at least 10 sophisticated hacking groups are leveraging the four Microsoft Exchange Server vulnerabilities exploited by alleged Chinese hackers to compromise email servers on their own.

This illustrates the importance to update and patch systems immediately, the Sovak company said in a Wednesday blog post.

The company conducted its own investigation and published its research on the vulnerabilities and hacking campaign allegedly carried out by a malicious Chinese group that exploits four soft points in on-premises versions of Microsoft Exchange Server, which facilitates access to email accounts and allowed installation of additional malware for long-term access.

The number of victims has yet to be disclosed, but reports suggest that at least 30,000 organizations have been compromised, with sectors including government, defense, corporate, health care and higher education.

The group, which Microsoft calls Hafnium, first gains access to an Exchange Server either with stolen passwords or by using the vulnerabilities to disguise itself as a legitimate user. Then, the group creates web shells to control the compromised server remotely. Lastly, it uses that remote access from U.S.-based private servers to steal data.

However, it’s not just Hafnium exploiting these vulnerabilities, according to ESET, which says it has identified more than 10 different threat actors “that likely leveraged the recent Microsoft Exchange RCE in order to install implants on victims’ email servers.”

Our analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files, which is a specific technique used in the exploitation of the RCE vulnerability and has already been detailed in a Unit 42 blogpost. Unfortunately, we cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit.

Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.

According to ESET, victims of these 10 hacking groups include a range of government entities, private companies, software developers, cybersecurity firms and other email servers in in the U.S., Europe, Asia and the Middle East.

If vulnerable organizations haven’t yet applied Microsoft’s patch, they need to do so immediately, according to ESET.

It is now clearly beyond prime time to patch all Exchange servers as soon as possible (see Microsoft guidance and apply special care in following the steps in the “About installation of these updates” section). Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.

In case of compromise, one should remove webshells, change credentials and investigate for any additional malicious activity.

Finally, this is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet since, in case of mass exploitation, it is very hard, if not impossible, to patch in time.

Some groups have even been using the vulnerabilities before they were made public when Microsoft disclosed the attacks and released the patch. What’s unclear, however, is how these different hacking groups were made aware of the vulnerabilities.

Some may be reverse engineering the patch, while others may be recipients of information from Hafnium or other groups.

Look for indicators of compromise and patch now.

Tagged With: Cybersecurity, Microsoft, Microsoft Exchange Server

Related Content:

  • Barracuda networks ransomware, cyberinurance Ransomware Actors May Be Targeting Organizations With Cyber…
  • Bitwarden Secrets manager Bitwarden Releases Beta of Secrets Manager for DevOps…
  • AVer PTZ cameras, the PTZ310UNV2 and PTZ310UV2. AVer Introduces 4K 12X AI PTZ Cameras
  • Cisco Webex Board Pro, MIcrosoft Teams, Webex You Can Now Natively Run Microsoft Teams Rooms…

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.