At least 10 hacking groups are currently exploiting Microsoft Exchange flaws, report

Attackers pile in after vulnerabilities revealed

At least 10 hacker groups are now exploiting recently uncovered bugs in Microsoft Exchange Server to infiltrate computer systems across the globe.

That is according to the cyber security firm ESET, which said on Wednesday that it has evidence suggesting that Winnti Group, LuckyMouse, Tick, and Calypso are among the cyber groups using the four Microsoft Exchange vulnerabilities to breach email servers worldwide.

"It is now clearly beyond prime time to patch all Exchange servers as soon as possible," ESET said in its report.

Last week, Microsoft released out-of-band security updates to address four vulnerabilities that were being actively exploited by hackers to compromise Exchange Server.

Microsoft said that the four bugs, indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 affect Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

The flaws are remote code execution (RCE) vulnerabilities, which could enable hackers to access email accounts and to install additional malware to facilitate long-term access to compromised networks.

"The initial attack requires the ability to make an untrusted connection to Exchange server port 443," the company said.

Microsoft attributed the attacks exploiting these vulnerabilities to a highly sophisticated, China-based, state-sponsored threat actor, dubbed Hafnium.

But, according to ESET, Hafnium is not the only group exploiting the vulnerabilities. The firm says it has evidence to suggest that at least three other cyber groups were aware of the flaws and were exploiting them days before Microsoft released its security updates.

After the vulnerabilities were publicly revealed, many other hacking groups also joined in on the exploitation.

Earlier this week, security researcher Brian Krebs said that at least 30,000 organisations across the United States had been compromised through these vulnerabilities.

In each incident, the attackers left behind a web shell: a password-protected hacking tool that can be accessed over the Internet from any browser, providing administrative access to the victims' servers.

To track the bugs' exploitation, ESET researchers looked for servers reconfigured with malicious web shells. The company says it found more than 5,000 such compromised servers in about 115 countries by the time its (ESET's) report was published.

On Wednesday, the Federal Office for Information Security (BSI) in Germany stated that around 60,000 computer systems in the country had been exposed to Microsoft exchange vulnerabilities.

Nearly 35,000 of those systems were patched following a warning last weekend, BSI chief Arne Schoenbohm said, but about 25,000 machines are yet to be updated.

"The warning has worked. In Germany, many Exchange servers have been secured by downloading patches," Schoenbohm told Reuters.

"Every vulnerable system is one too many and can lead to harm."

Two federal authorities in Germany have been affected by the hack, according to the BSI, although it declined to name those authorities.

The Norwegian parliament and EU's banking regulator have also reportedly suffered attacks from hackers, according to Reuters.