Ten Hacking Groups Exploiting Microsoft Email Flaw, Warns ESET

The wide ranging impact from the Microsoft Exchange zero-day flaws continue to be felt with a fresh warning from security researchers.

ESET in a blog post warned that at least 10 different hacking groups are exploiting the recent Microsoft Exchange vulnerabilities.

It comes after the US government said it was “concerned” over the potentially large number of organisations affected by the zero-day flaws.

Exchange flaws

The administration’s comments was the latest indication of the significance of the Exchange bugs, for which Microsoft issued emergency patches last Tuesday.

Microsoft said a Chinese state-backed hacking group called Hafnium was behind the hacks, which began in early January.

Redmond said Hafnium used the flaws to gain access to Exchange servers undetected in order to steal information from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental groups.

But now ESET has warned that the number of hacking groups exploiting the vulnerabilities is believed to be in double-figures.

And to give an idea of how widespread the vulnerability is being exploited, ESET said that it had identified more than 5,000 global email servers – belonging to businesses and governments alike – that have been affected by related malicious activity.

Earlier on Wednesday Reuters reported that Norway’s parliament had announced data had been “extracted” in a breach linked to the Microsoft flaws.

Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

Prior knowledge

“We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organisations, such as the European Banking Authority, suffered from this attack,” blogged ESET.

And ESET warned that several of the hacking groups appeared to know about the vulnerability before it was announced by Microsoft on 2 March.

“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” it added. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

The advice for system admins is to apply the Microsoft patches as soon as possible to mitigate the risk.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago