Ten Hacking Groups Exploiting Microsoft Email Flaw, Warns ESET

The wide ranging impact from the Microsoft Exchange zero-day flaws continue to be felt with a fresh warning from security researchers.

ESET in a blog post warned that at least 10 different hacking groups are exploiting the recent Microsoft Exchange vulnerabilities.

It comes after the US government said it was “concerned” over the potentially large number of organisations affected by the zero-day flaws.

Exchange flaws

The administration’s comments was the latest indication of the significance of the Exchange bugs, for which Microsoft issued emergency patches last Tuesday.

Microsoft said a Chinese state-backed hacking group called Hafnium was behind the hacks, which began in early January.

Redmond said Hafnium used the flaws to gain access to Exchange servers undetected in order to steal information from infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and non-governmental groups.

But now ESET has warned that the number of hacking groups exploiting the vulnerabilities is believed to be in double-figures.

And to give an idea of how widespread the vulnerability is being exploited, ESET said that it had identified more than 5,000 global email servers – belonging to businesses and governments alike – that have been affected by related malicious activity.

Earlier on Wednesday Reuters reported that Norway’s parliament had announced data had been “extracted” in a breach linked to the Microsoft flaws.

Germany’s cybersecurity watchdog agency also said on Wednesday two federal authorities had been affected by the hack, although it declined to identify them.

Prior knowledge

“We have already detected webshells on more than 5,000 email servers as of the time of writing, and according to public sources, several important organisations, such as the European Banking Authority, suffered from this attack,” blogged ESET.

And ESET warned that several of the hacking groups appeared to know about the vulnerability before it was announced by Microsoft on 2 March.

“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,” it added. “It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.”

The advice for system admins is to apply the Microsoft patches as soon as possible to mitigate the risk.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

2 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

2 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

2 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago