Microsoft's Exchange Server Security Problem Is Gaining Steam

The handful of Exchange Server zero-day flaws Microsoft announced earlier this month has snowballed into a much broader problem.

On March 2, Microsoft issued out-of-band security patches to address four zero-day Exchange Server flaws being exploited by an advanced persistent threat group (APT) it dubbed "Hafnium." The Hafnium group is thought to have used the four flaws in combination to carry out a widespread government and industry espionage campaign.

Microsoft is now warning that unpatched Exchange Servers are getting attacked to install ransomware dubbed "DearCry." This new ransomware apparently was first detected and reported by researcher Michael Gillespie at the ID-Ransomware Web site, per this Friday Kaspersky Threatpost article.

Since March 2, attacks on Exchange Server implementations worldwide have "tripled every two hours," according to a Thursday announcement by Check Point Software. Notably, the spike in activity seems to be coming from other attackers besides the Hafnium APT group because they aren't completing all of the attack steps.

"To date, hackers have yet to carry out the full chain of attack successfully," the Check Point researchers noted regarding these more recent Exchange Server attacks.

Other Attack Groups
Security researchers at ESET Research observed spikes in installed Webshells associated with the Exchange Server exploits since Microsoft's March 2 out-of-band patch release. These Webshells were detected on more than 5,000 servers, the researchers added in a Wednesday ESET announcement.

ESET named more than 10 other APT groups, excluding Hafnium, that were involved in the Exchange Server attacks. These groups have names such as "Tick, LuckyMouse, Calypso and the Winnti Group," among others.

Like Hafnium, these other APT groups apparently are mostly using the zero-day flaws in Exchange Server to conduct espionage, dropping Webshells for the purpose. However, ESET's announcement included a timeline showing that these groups also were using the Exchange Server exploits days before Microsoft's March 2 patch release, as early as Feb. 28.

Based on its timeline, the new attacks being seen this week aren't happening because Microsoft's March 2 patches got reverse-engineered, according to ESET:

This [ESET chronology] suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

In other words, lots of attack groups knew about the Exchange Server zero-day flaws in advance of Microsoft's patch release and were conducting early attacks.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Sets September Launch for Purview Data Governance

    Microsoft's AI-powered Purview solution to address governance and security challenges is set to become generally available on Sept. 1.

  • An image of planes flying around a globe

    2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • End of the Road for Kaspersky in the United States

    Kaspersky on Monday said it is shuttering its U.S. operations, just days before a nationwide ban on sales of its security software was set to take effect.