Quote:Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.
Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.
And indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.
Microsoft was spurred to release out-of-band patches for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
Microsoft said last week that the attacks were “limited and targeted.” But that’s certainly no longer the case. Other security companies have continued to say they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.
ESET researchers had confirmed this as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.
“On Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,” according to the writeup. “This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.”
Read more: Microsoft Exchange Servers Face APT Attack Tsunami | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
