Ten Hacking Groups Exploiting Microsoft Email Flaw, Warns ESET

The wide ranging impact from the Microsoft Exchange zero-day flaws continue to be felt with a fresh warning from security researchers.

ESET in a blog post warned that at least 10 different hacking groups are exploiting the recent Microsoft Exchange vulnerabilities.

It comes after the US government said it was “concerned” over the potentially large number of organisations affected by the zero-day flaws.

Exchange flaws

The administration’s comments was the latest indication of the significance of the Exchange bugs, for which Microsoft issued emergency patches last Tuesday.

Microsoft said a Chinese state-backed hacking group called Hafnium was behind the hacks, which began in early January.

Redmond said Hafnium used the flaws to gain access to Exchange servers undetected in order to steal information from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental groups.

But now ESET has warned that the number of hacking groups exploiting the vulnerabilities is believed to be in double-figures.

And to give an idea of how widespread the vulnerability is being exploited, ESET said that it had identified more than 5,000 global email servers – belonging to businesses and governments alike – that have been affected by related malicious activity.

Earlier on Wednesday Reuters reported that Norway’s parliament had announced data had been “extracted” in a breach linked to the Microsoft flaws.

Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

Prior knowledge

“We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organisations, such as the European Banking Authority, suffered from this attack,” blogged ESET.

And ESET warned that several of the hacking groups appeared to know about the vulnerability before it was announced by Microsoft on 2 March.

“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” it added. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

The advice for system admins is to apply the Microsoft patches as soon as possible to mitigate the risk.