Security researchers have discovered over ten different hacking groups actively exploiting the zero-day vulnerability in Microsoft Exchange email server, despite the company’s initial attempts to play down the cyberattacks.
Microsoft Threat Intelligence Center (MSTIC), first detected the vulnerabilities being exploited by a Chinese state-sponsored threat actor dubbed Hafnium.
ESET researchers have now identified over 5000 hacked email servers from all over the world belonging to businesses and governments leading them to believe that the now-patched vulnerability is being exploited by several attackers.
“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,” said ESET researcher Matthieu Faou, adding that “it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later.”
Tip of the iceberg?
As previously reported, security experts now estimate that over 30,000 US governmental and commercial organizations may have already had their emails hacked following the attack on servers across the country, precipitating a statement from the White House.
While Microsoft has already issued a patch to fix the vulnerability, the US government agrees with security experts that the attacks aren’t over.
Speaking to TechRadar Pro, Adrien Gendre, chief product and services officer at email security vendor Vade Secure said he believes the worst is still to come as the attackers have likely left backdoors for them to return to later.
“Based on our knowledge of prior incidents, parties affected can expect to see a rise in spear phishing attacks in the coming weeks, all of which will be highly qualitative with proper context and potentially contain history of past email conversations to lend credibility to the scams,” Gendre said.
The latest insight from ESET backs up Gendre’s opinion. Using telemetry data, ESET has identified over ten different threat actors that it believes have leveraged the Exchange vulnerability to install malware like webshells and backdoors on their victims’ email servers.
“The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,” ESET’s Faou added, urging admins to patch the Exchange servers including those that aren’t directly exposed to the internet.