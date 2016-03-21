Microsoft exchange servers have been under attack in the past few days by a number of groups, including several known "state-sponsored and cyber-criminal hacking groups". They are targeting several zero-day vulnerabilities that have come to light. What I find interesting is the number of groups that all began exploiting these vulnerabilities at the same time. Additional groups have joined in on the hacking attempts, especially after Microsoft issued patches for the vulnerabilities, including ransomware organizations.
Below "the fold" is a roundup of the stories that have been submitted so far.
There's a Vexing Mystery Surrounding the 0-day Attacks on Exchange Servers
There's a vexing mystery surrounding the 0-day attacks on Exchange servers:
The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 advanced hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a vexing question: how did so many separate threat actors have working exploits before the security flaws became publicly known?
Researchers say that as many as 100,000 mail servers around the world have been compromised, with those for the European Banking Authority and Norwegian Parliament being disclosed in the past few days. Once attackers gain the ability to execute code on the servers, they install web shells, which are browser-based windows that provide a means for remotely issuing commands and executing code.
[...] The mystery is compounded by this: within a day of Microsoft issuing the patches, at least three more APTs joined the fray. A day later, another one was added to the mix. While it's possible that those four groups reverse-engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side.
There's no clear explanation for the mass exploitation by so many different groups, leaving researchers few alternatives other than to speculate.
[...] Of course, it's possible that the half-dozen APTs that exploited the vulnerabilities while they were still zero-days independently discovered the vulnerabilities and developed weaponized exploits. If that's the case, it's likely a first, and hopefully a last.
Microsoft Exchange Server Zero-Day Attacks: Malicious Software Found on 2,300 Machines in the UK
Source: Microsoft Exchange Server zero-day attacks: Malicious software found on 2,300 machines in the UK:
Any organisations that have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what's described as an 'increasing range' of hacking groups attempting to exploit unpatched networks.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven't had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities.
If organisations can't install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It's also recommended that all organisations that are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
More Hacking Groups Join Microsoft Exchange Attack Frenzy
More hacking groups join Microsoft Exchange attack frenzy:
More state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon.
After Microsoft's initial report that the vulnerabilities were actively exploited by a Chinese APT group named Hafnium, Slovak internet security firm ESET shared info on at least three other Chinese-backed hacking groups abusing the ProxyLogon flaws in ongoing attacks.
Besides those three (APT27, Bronze Butler aka Tick, and Calypso), ESET also said that it also identified several "additional yet-unclassified clusters."
[...] ESET has now published a new report saying that unpatched Exchange servers are currently hunted down by "at least 10 APT groups."
On top of the previously mentioned APTs (APT27, Tick, and Calypso), ESET's new list also includes Winnti Group, Tonto Team, Mikroceen, and a newly detected threat actor dubbed Websiic.
While analyzing telemetry data, the company has also spotted ShadowPad, "Opera" Cobalt Strike, IIS backdoor, and DLTMiner activity by unknown APT groups.
Microsoft Exchange Server Hacks "Doubling" Every Two Hours
Not covered on SoylentNews yet, but sounds like a major happening. Microsoft Exchange Server hacks 'doubling' every two hours.
Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.
According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 -- and attack attempts continue to rise.
In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours."
The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.
Government, military, manufacturing, and then financial services are currently the most targeted industries.
Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.
The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Microsoft. No Comment.
Microsoft issued emergency, out-of-band patches to tackle the security flaws -- which can be exploited for data theft and server compromise -- and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium.
Original Submission #1 Original Submission #2 Original Submission #3 Original Submission #4