At Least 10 Hacking Groups Are Exploiting Microsoft Exchange Server Flaws

Mar 11 · 3 min read
Photo illustration by Jaap Arriens/NurPhoto via Getty Images

ESET uncovers evidence that at least three other hacking groups that specialize in cyber-espionage were exploiting the vulnerabilities before Microsoft publicized the threat.

By Michael Kan

Hackers everywhere are now exploiting recently disclosed vulnerabilities in Microsoft Exchange Server to infiltrate computer systems across the globe, according to security firm ESET.

On Wednesday, ESET published an alarming report that says at least 11 different hacking groups have been abusing the flaws. “It is now clearly beyond prime time to patch all Exchange servers as soon as possible,” the company adds.

The threat primarily concerns companies and government organizations that use Microsoft Exchange to handle emails. Last week, Microsoft disclosed four previously unknown flaws in the software, which can pave the way for remote takeover of an affected server. At the time, Redmond only mentioned that one actor, a Chinese state-sponsored hacking group dubbed “Hafnium,” had been exploiting the vulnerabilities to steal emails from US-based customers since at least early January.

But according to ESET, Hafnium isn’t the only group abusing the flaws. Through its antivirus software, the company’s security researchers uncovered evidence that three other hacking groups specializing in cyberespionage were also exploiting the vulnerabilities days before Microsoft publicized the threat.

Credit: ESET

After Microsoft publicized the vulnerabilities and issued the patches, other hacking groups joined in on the exploitation. Groups include Winnti, which has been blamed for infiltrating Avast’s CCleaner and PC vendor Asus to deliver malware into software programs used by millions of customers.

To track the flaws’ exploitation, ESET has been looking out for servers that’ve been reconfigured with malicious web shells, which can give hackers remote access to the system. “At the date of publication, we had observed more than 5,000 unique servers in over 115 countries where web shells were flagged,” the company says.

Credit: ESET

However, ESET’s analysis is only capturing a fraction of the flaws’ exploitation. Last week, security reporter Brian Krebs reported that investigators estimate that at least 30,000 organizations in the US were hacked through the Microsoft Exchange vulnerabilities. In some cases, the victimized servers were infested with multiple backdoors.

ESET is now warning it’ll only be a matter of time before hacking groups, such as ransomware operators, begin targeting the flaws to hold data hostage.

Microsoft itself has also been warning that “multiple actors” are now taking advantage of the flaws. In response, the company published several posts with instructions on how to patch and protect Exchange servers from exploitation. US cyber authorities also issued their own security guidance.

Originally published at

PC Magazine

PC Magazine: redefining technology news and reviews since…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store