Microsoft Exchange Server exploits are being targeted by "at least 10 hacker groups"

[Joe White]

A hot potato: Four zero-day exploits in Microsoft Exchange are being targeted by at least 10 advanced persistent threat (APT) hacker groups, with web shell backdoors – which allow remote control of a server via a web browser – being installed on some 5,000 servers spanning 115 different countries.

Four exploits in Microsoft Exchange Server hit the news last week, when we heard that a Chinese hacking group had targeted the email servers of some 30,000 U.S. government and commercial organizations. The exploits had been patched by Microsoft, but the hacking group known as “Hafnium” had doubled-up on efforts targeting unpatched servers.

Security research firm ESET has found that at least 10 APT groups are taking advantage of the exploits in an attempt to compromise servers around the world. Winniti Group, Calypso, Tick, and more are among the groups identified.

The security firm adds that “for the past few days, ESET researchers have been monitoring closely the number of web shell detections for these exploits. At the date of publication, we had observed more than 5,000 unique servers in over 115 countries where web shells were flagged.” By using the Exchange Server exploits to install web shells, hackers can gain remote control of a server via a web browser.

Proportion of webshell detections by country (2021-02-28 to 2021-03-09)

Followed by that report, ransomware activity has also been detected as hackers try to take advantage of the slow patching on Exchange servers, with attack rates "doubling every few hours." A ransomware called 'DearCry' is encrypting email on unpatched Exchange servers to later demand payment from the victims for releasing the data.

Microsoft Defender customers utilizing automatic updates do not need to take additional action to receive these protections. On-premises Exchange Server customers should prioritize the security updates outlined here: https://t.co/DL1XWnitYO

— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021

The bottom line? Organizations should patch their servers using Microsoft’s update as a matter of urgency, before carefully checking logs to see whether web shells have already been installed.

To further safeguard servers, organizations are advised to restrict network access to users (via a VPN, for example). This should protect servers from both the current exploits, and any future ones which inevitably crop up in the years to come.

Permalink to story.

https://www.techspot.com/news/88913-microsoft-exchange-server-exploits-targeted-least-10-hacker.html

 

[Dimitriid]

Maybe companies shouldn't depend on exchange as the defacto only email client? Sure patch this but may I ask why almost every single office job I've had for the past 15 years or you uses exchange? Yes there's good functionality and companies like integration and such but exchange has been the only choice for so many organizations for so years robust feature set could have been implemented on some other email and calendar server.

Just don't get lazy and go to gmail instead please.

 

[Burty117]

Just don't get lazy and go to gmail instead please.

What? Cos Gmail is soo much better or something? And what's using Gmail vs a Microsoft Exchange based email system got to do with being Lazy?

If you're already running Microsoft everything (exchange and office) why would you go Gmail and not Microsoft 365?

Genuinely interested btw.

 

[lipe123]

Maybe companies shouldn't depend on exchange as the defacto only email client? Sure patch this but may I ask why almost every single office job I've had for the past 15 years or you uses exchange? Yes there's good functionality and companies like integration and such but exchange has been the only choice for so many organizations for so years robust feature set could have been implemented on some other email and calendar server.

Just don't get lazy and go to gmail instead please.

Why would a company pay for gsuite email hosting and pay microsoft for a office 365 license for productivity.
Gsuite word processor and spreadsheet is an absolute joke to anyone that does more than write an essay for school here and there.
Companies don't just "like" integration, It saves hours every day meaning you can earn more money in the same time period.

so your solution is to pay double as much and do half the work- that's quite the business model!.

A better response would be why companies still run on-site self hosted exchange servers instead of cloud hosted versions that does not offer as many security risks.