Cybercrime , Forensics , Fraud Management & Cybercrime

Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws

Some Attacks Predate Microsoft Being Alerted to the Vulnerabilities, Eset Says
Microsoft Exchange: At Least 10 APT Groups Exploiting Flaws
Microsoft Exchange attack timeline (Source: Eset)

Serious vulnerabilities in Microsoft Exchange have been exploited by at least 10 advanced persistent threat groups that have been collectively been hitting thousands of companies over the last three months, security researchers warn.

See Also: 2024 Report: Mapping Cyber Risks from the Outside

Full details of the attacks and groups involved - when known - have been released by researchers at Slovakia-based security firm Eset. They say at least several APT groups also began attacks that exploit the flaws, prior to Jan. 5, which is when Microsoft says it first learned about the vulnerabilities.

"This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates," Eset researchers say.

Another explanation, however, would be that the attackers had discovered by vulnerabilities and begun exploiting them, after which a security researcher identified what they had done.

Other security researchers have confirmed that the attacks began prior to Jan. 5. "We can't confirm the exact attribution that Eset is making, but the data we have does show multiple, likely Chinese groups using the exploit in different waves, matching what Eset has seen," says Ben Read, director of analysis at FireEye's Mandiant threat intelligence group.

APT Groups Allegedly Involved

So far, Eset says it has attributed Exchange-targeting attacks to at least eight known APT groups: Tick, LuckyMouse, Calypso, Websiic, Winnti, Tonto Team, Mikroceen and DLTMiner. Two other groups involved remain unidentified.

Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 - but had not named the allegedly involved groups.

Earlier, Microsoft blamed the attacks on a single China-based group it calls Hafnium.

In the bigger picture, Drew Schmitt, a senior threat intelligence analyst at GuidePoint Security, notes that attackers often continue to seek - and exploit - the most widely used technology possible, to maximize the impact of their efforts. "As we have seen with the SolarWinds breach and now these Microsoft Exchange vulnerabilities, threat groups are targeting technology used by many, to have the largest impact possible."

Numerous Servers Hit

So far, at least 5,000 government and private email servers across 115 countries have been hit by attackers targeting the aforementioned Exchange flaws, Eset reports.

But many more systems may have been hit. Cybersecurity firm Unit 221B says it has obtained a list of 86,000 IP addresses of Exchange servers infected worldwide, says Allison Nixon, the company's chief research officer (see: List of Hacked Exchange Servers May Boost Recovery Efforts).

To assist victims, Unit 221B has created a web-based service called Check My OWA - for Outlook Web Access or Outlook Web App - designed to help organizations identify whether their email systems were infected in the first wave of attacks.

Attack Timeline

Eset says three of the 10 APT groups began exploiting the unpatched vulnerabilities in Exchange on Jan. 3, two days before Devcore security researcher Cheng-Da Tsai - also known as Orange Tsai - reported the security flaws to Microsoft.

Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited. Eset is attributing this initial wave of attacks to the APT groups LuckyMouse, Calypso and Websiic.

On Feb. 27, the APT group Tick, which has been operating since 2008, compromised the webserver of an East Asian IT company, the researchers say. After injecting a first-stage web shell that gave it the ability to issue orders to the device, the group dropped the Delphi backdoor.

Another attack began on Feb. 28, which was two days before Microsoft first issued an emergency patch for the Exchange flaws on March 2.

Just hours before Microsoft issued its patch, Winnti, aka Barium and APT41, hit both an oil company and a construction equipment firm in East Asia, Eset says. The group used the PlugX RAT and ShadowPad malware in its attacks.

The other APT groups began their attacks activity after March 3, Eset reports.

LuckyMouse, aka APT27, began its attack by dropping the Nbtscan tool, installing a variant of the ReGeorg web shell and issuing a GET request using curl, Eset says. The attackers also attempted to install their own version of SysUpdate, it says.

Calypso hit Mideast and South American targets using two web shells and two backdoors, Eset reports. It then installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory, as well as hashes, the researchers say.

Websiic's activity involved targeting a cluster for seven email servers used by private companies in Asia and another server used by an Asian government, Eset says.

Post-Patch Attacks

On March 4 - two days after Microsoft first issued an emergency patch for the Exchange flaws - other groups began their attacks. This activity included:

  • Tonto Team, also known as CactusPete, hacking email servers of a procurement firm and a consulting company specializing in software development and cybersecurity, both based in Eastern Europe.
  • An unknown group using the Opera browser to target about 650 servers, mostly in the U.S., Germany, the U.K. and other European countries, and then install the penetration testing tool Cobalt Strike.
  • An unknown group installing web shells in four email servers in Asia and South America that, in turn, downloaded variants of the IIS backdoor, which is a rootkit for Microsoft Internet Information Services.
  • The Mikroceen APT group, aka Vicious Panda, on March 4 compromising the Exchange server of a utility company in Central Asia and injecting versions of the password-grabbing Mimikatz tool.
  • The DLTMiner gang on March 5 deploying PowerShell downloaders on email servers that were previously targeted using Exchange vulnerability exploits. Eset theorizes that DLTMiner is hijacking web shells installed by other threat groups.

Help for Defenders

Knowing the specific groups that are attacking vulnerable Exchange servers is a huge plus for defenders, says GuidePoint Security's Schmitt.

"As defenders begin to have a more detailed grasp on threat groups and their methodology, they can implement defense-in-depth strategies that will provide the most layers of protection in their environments."


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.