At least 10 APT hacking groups have exploited Exchange Server bugs, ESET warns
Critical vulnerabilities in Microsoft software have turned into a feeding frenzy for state-linked hackers.
At least 10 such hacking groups have exploited the flaws in the Exchange Server email program in recent days in operations around the world, anti-virus firm ESET said Wednesday. Many of the groups have well-documented links to China.
The surge in hacking suggests multiple sets of espionage groups had access to the software exploit before Microsoft released fixes for it on March 2. It also compounds the challenges facing incident responders who are rushing to deal with the breaches, and bracing for additional exploitation of the bugs by criminal hackers.
“It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later,” ESET researchers wrote in a blog post Wednesday.
The intrusions by advanced persistent threat groups tracked by ESET include a hack of a Middle East government email server by Beijing-linked APT27, as well as breach of an East Asia-based IT provider by another suspected Chinese group, Bronze Butler. The notorious Winnti Group, another broad set of hacking activity linked with China, has broken into the servers of oil and construction firms in East Asia, according to ESET.
In the U.S. the Biden administration has scrambled to address the Exchange Server exploitation as tens of thousands of state and local government organizations and businesses appear to be vulnerable. A White House official said Monday that “high levels” of the National Security Council were responding to the crisis.
Microsoft has taken the unusual step of issuing security fixes for older, unsupported versions of Exchange Server to try to blunt the impact of the hacking,
Cybersecurity officials from other governments were also grappling with a problem that shows no signs of abating, German officials said Monday that the country had 26,000 instances of the vulnerable Exchange Server software sitting on the internet. The Norwegian parliament, meanwhile, said Wednesday that unidentified hackers had used the Exchange bugs to break into the legislative body’s IT systems and steal data.
The potential for ransomware actors and other opportunistic criminals to enter the fray has IT experts concerned. Dave Kennedy, founder of security firm TrustedSec, said Tuesday that cryptocurrency miners were being installed on vulnerable servers, signaling and expansion of criminal activity exploiting the situation.