ESET uncovers evidence that at least three other hacking groups that specialize in cyber-espionage were exploiting the vulnerabilities before Microsoft publicized the threat.
By Michael Kan
Hackers everywhere are now exploiting recently disclosed vulnerabilities in Microsoft Exchange Server to infiltrate computer systems across the globe, according to security firm ESET.
On Wednesday, ESET published an alarming report that says at least 11 different hacking groups have been abusing the flaws. “It is now clearly beyond prime time to patch all Exchange servers as soon as possible,” the company adds.
The threat primarily concerns companies and government organizations that use Microsoft Exchange to handle emails. Last week, Microsoft disclosed four previously unknown flaws in the software, which can pave the way for remote takeover of an affected server. At the time, Redmond only mentioned that one actor, a Chinese state-sponsored hacking group dubbed “Hafnium,” had been exploiting the vulnerabilities to steal emails from US-based customers since at least early January.
But according to ESET, Hafnium isn’t the only group abusing the flaws. Through its antivirus software, the company’s security researchers uncovered evidence that three other hacking groups specializing in cyberespionage were also exploiting the vulnerabilities days before Microsoft publicized the threat.
After Microsoft publicized the vulnerabilities and issued the patches, other hacking groups joined in on the exploitation. Groups include Winnti, which has been blamed for infiltrating Avast’s CCleaner and PC vendor Asus to deliver malware into software programs used by millions of customers.
To track the flaws’ exploitation, ESET has been looking out for servers that’ve been reconfigured with malicious web shells, which can give hackers remote access to the system. “At the date of publication, we had observed more than 5,000 unique servers in over 115 countries where web shells were flagged,” the company says.
However, ESET’s analysis is only capturing a fraction of the flaws’ exploitation. Last week, security reporter Brian Krebs reported that investigators estimate that at least 30,000 organizations in the US were hacked through the Microsoft Exchange vulnerabilities. In some cases, the victimized servers were infested with multiple backdoors.
ESET is now warning it’ll only be a matter of time before hacking groups, such as ransomware operators, begin targeting the flaws to hold data hostage.
Microsoft itself has also been warning that “multiple actors” are now taking advantage of the flaws. In response, the company published several posts with instructions on how to patch and protect Exchange servers from exploitation. US cyber authorities also issued their own security guidance.
Originally published at https://www.pcmag.com.