A hot potato: Four zero-day exploits in Microsoft Exchange are being targeted by at least 10 advanced persistent threat (APT) hacker groups, with web shell backdoors – which allow remote control of a server via a web browser – being installed on some 5,000 servers spanning 115 different countries.
Four exploits in Microsoft Exchange Server hit the news last week, when we heard that a Chinese hacking group had targeted the email servers of some 30,000 U.S. government and commercial organizations. The exploits had been patched by Microsoft, but the hacking group known as “Hafnium” had doubled-up on efforts targeting unpatched servers.
Security research firm ESET has found that at least 10 APT groups are taking advantage of the exploits in an attempt to compromise servers around the world. Winniti Group, Calypso, Tick, and more are among the groups identified.
The security firm adds that “for the past few days, ESET researchers have been monitoring closely the number of web shell detections for these exploits. At the date of publication, we had observed more than 5,000 unique servers in over 115 countries where web shells were flagged.” By using the Exchange Server exploits to install web shells, hackers can gain remote control of a server via a web browser.
Followed by that report, ransomware activity has also been detected as hackers try to take advantage of the slow patching on Exchange servers, with attack rates "doubling every few hours." A ransomware called 'DearCry' is encrypting email on unpatched Exchange servers to later demand payment from the victims for releasing the data.
Microsoft Defender customers utilizing automatic updates do not need to take additional action to receive these protections. On-premises Exchange Server customers should prioritize the security updates outlined here: https://t.co/DL1XWnitYO— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
The bottom line? Organizations should patch their servers using Microsoft’s update as a matter of urgency, before carefully checking logs to see whether web shells have already been installed.
To further safeguard servers, organizations are advised to restrict network access to users (via a VPN, for example). This should protect servers from both the current exploits, and any future ones which inevitably crop up in the years to come.