ESET researchers in Canada have discovered a potential threat to 5,000 Microsoft Exchange business and government email servers around the world.
Although the exact number of those affected by the vulnerability is unknown, ESET researchers estimate the number could reach hundreds of thousands of compromised servers globally. According to public sources, several important organizations, including the European Banking Authority, have suffered from this attack.
The threat comes from 10 different groups that were exploiting vulnerabilities in Microsoft Exchange to allow the cyberattacker to take over any reachable Exchange server, without the need to know any valid account credentials, making Internet-connected Exchange servers especially vulnerable. Microsoft has been alerted about the compromise and has since released patches to address and correct the vulnerabilities for Exchange Server 2013, 2016 and 2019.
“The early action of several threat actors using these vulnerabilities suggests these groups had access to the details of the vulnerabilities before the release,” says Matthieu Faou, Malware Researcher who is leading ESET’s research effort into the recent Exchange vulnerability chain. “Although it is unclear how the distribution of knowledge regarding the exploit happened, it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”
ESET has identified more than 10 different threat actors that likely leveraged the recent Microsoft Exchange RCE vulnerabilities in order to install malware like webshells and backdoors on victims’ email servers. In some cases, several threat actors were targeting the same organization.
The identified threat groups and behavior clusters are:
- Tick – Compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.
- LuckyMouse – Compromised the email server of a governmental entity in the Middle East. This group likely had an exploit at least one day before the patches were released, when it was still a zero day.
- Calypso – Compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe.
Websiic – Targeted seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. ESET named this new cluster of activity as Websiic.
Winnti Group – Compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.
Tonto Team – Compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
ShadowPad activity – Compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.
The “Opera” Cobalt Strike – Targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.
IIS backdoors – ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy.
Mikroceen – Compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.
DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.
With these risks identified, Faou suggests patching all Microsoft Exchange servers as soon as possible, including those not directly exposed to the Internet. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.