Hacking and cyber-espionage groups around the world are attempting to exploit recently disclosed zero-day vulnerabilities in Microsoft Exchange Server, before the window of opportunity closes as organisations apply updates to protect against attacks.
Microsoft first became aware of the vulnerabilities in January and security patches were released on March 2 to tackle them, with organisations urged to apply them as soon as possible.
Tens of thousands of organisations around the world are thought to have been affected by cyberattacks targeting Microsoft Exchange, which Microsoft cybersecurity researchers have attributed to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
But Hafnium isn’t the only APT group looking to exploit unpatched Exchange vulnerabilities: researchers at cybersecurity company ESET have detected at least 10 hacking groups attempting to compromise email servers around the world.
Winniti Group, Calypso, Tick, LuckyMouse (APT27) and others have been spotted scanning for vulnerable servers with intent to compromise.
ESET’s analysis has flagged the presence of webshells – malicious scripts that allow remote control of a server by a web browser – on over 5,000 unique servers in more than 115 countries.
Many of these webshells have only been detected over the past week, as cyber attackers stepped up their operations before many organisations fully applied the patch to their networks.
“After the patch, we’ve seen a big uptick and believe that several attackers started doing mass scanning. They probably wanted to compromise as many servers as possible before the patches are deployed on the mail servers that are most interesting for them,” Matthieu Faou, malware researcher at ESET, told .
Most of the hacking groups identified by the researchers are cyber-espionage operations, while one is a cryptocurrency-mining malware operation.
The groups identified by ESET are unlikely to be the only cyber attackers seeking to exploit the zero days before patches are fully applied, so it’s vital that organisations apply the Exchange Server updates to protect their networks from being exploited by hackers.
“First, organisations should patch. Then they should carefully check for any trace of compromise by reviewing logs and making sure that no webshell is installed on their servers,” said Fauo.
It’s also recommended that organisations consider restricting access to their networks from the open internet, providing an additional hurdle for unwanted intruders.
“They should also consider making their Exchange server accessible only to their users and not to the whole internet – via the use of a VPN, for example. Microsoft Exchange is a very complex application. As such, it is possible that other flaws will be discovered in the next years, and protecting it behind a VPN allows time to patch the application before it’s actually exploited,” Fauo added.