Multiple APT Groups Now Targeting Microsoft Exchange Servers

Multiple state-sponsored hacking groups have been identified targeting tens of thousands of on-premise Exchange servers around the globe. These attacks are exploiting recently discovered severe vulnerabilities in Microsoft Exchange servers, tracked as ProxyLogon.

What has been discovered?

Microsoft’s initial reports suggested that the Chinese APT group named Hafnium was exploiting ProxyLogon. Earlier this month, Microsoft had released patches for Exchange Server 2013, 2016, and 2019, which were impacted by this vulnerability.
  • Just after a day of the patch being released, several additional threat actors, including APT27, LuckyMouse, Calypso, and Winnti Group, were observed to be scanning and compromising Exchange servers.
  • ESET Research team had observed more than 5,000 unique servers in over 115 countries where web shells were flagged. Mostly these attacks are ongoing in the U.S., Germany, and the U.K.
  • Besides exploitation of these vulnerabilities, additional activities involved the use of hacking tools including ShadowPad, Opera Cobalt Strike loader, IIS backdoor, and DLTMiner.


A brief history

Microsoft was first notified in early January about these vulnerabilities when a security researcher identified two security flaws.
  • Security research firm Volexity had detected attacks leveraging these flaws on January 6, and it officially informed Microsoft on February 2.
  • Microsoft’s recent security updates fixed the vulnerability chain tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. 
  • However, multiple threat actors, including Hafnium had started exploiting vulnerabilities before the patch was released.


The rapid adoption of this new exploitation method by several APTs indicates that a large number of threat actors are eagerly waiting to leverage the critical vulnerabilities in popular products. Go patch your Microsoft Exchange servers before it’s late. Further, experts recommend removing web shells, changing credentials, and looking for malicious activity in case of potential infections.


Next Post

A Side-Channel Attack that Works Without Scripting Support

Mon Mar 15 , 2021
A team of researchers has demonstrated that attackers can launch browser-based side-channel attacks that use only HTML and CSS. They even tested this technique successfully on a wide range of platforms, including Apple’s recently introduced M1 chip. What was discovered? Researchers from the Ben-Gurion University of the Negev, the University […]