What has been discovered?
- Just after a day of the patch being released, several additional threat actors, including APT27, LuckyMouse, Calypso, and Winnti Group, were observed to be scanning and compromising Exchange servers.
- ESET Research team had observed more than 5,000 unique servers in over 115 countries where web shells were flagged. Mostly these attacks are ongoing in the U.S., Germany, and the U.K.
- Besides exploitation of these vulnerabilities, additional activities involved the use of hacking tools including ShadowPad, Opera Cobalt Strike loader, IIS backdoor, and DLTMiner.
A brief history
- Security research firm Volexity had detected attacks leveraging these flaws on January 6, and it officially informed Microsoft on February 2.
- Microsoft’s recent security updates fixed the vulnerability chain tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
- However, multiple threat actors, including Hafnium had started exploiting vulnerabilities before the patch was released.
The rapid adoption of this new exploitation method by several APTs indicates that a large number of threat actors are eagerly waiting to leverage the critical vulnerabilities in popular products. Go patch your Microsoft Exchange servers before it’s late. Further, experts recommend removing web shells, changing credentials, and looking for malicious activity in case of potential infections.