Microsoft's Exchange Server Security Problem Is Gaining Steam

The handful of Exchange Server zero-day flaws Microsoft announced earlier this month has snowballed into a much broader problem.

On March 2, Microsoft issued out-of-band security patches to address four zero-day Exchange Server flaws being exploited by an advanced persistent threat group (APT) it dubbed "Hafnium." The Hafnium group is thought to have used the four flaws in combination to carry out a widespread government and industry espionage campaign.

Microsoft is now warning that unpatched Exchange Servers are getting attacked to install ransomware dubbed "DearCry." This new ransomware apparently was first detected and reported by researcher Michael Gillespie at the ID-Ransomware Web site, per this Friday Kaspersky Threatpost article.

Since March 2, attacks on Exchange Server implementations worldwide have "tripled every two hours," according to a Thursday announcement by Check Point Software. Notably, the spike in activity seems to be coming from other attackers besides the Hafnium APT group because they aren't completing all of the attack steps.

"To date, hackers have yet to carry out the full chain of attack successfully," the Check Point researchers noted regarding these more recent Exchange Server attacks.

Other Attack Groups
Security researchers at ESET Research observed spikes in installed Webshells associated with the Exchange Server exploits since Microsoft's March 2 out-of-band patch release. These Webshells were detected on more than 5,000 servers, the researchers added in a Wednesday ESET announcement.

ESET named more than 10 other APT groups, excluding Hafnium, that were involved in the Exchange Server attacks. These groups have names such as "Tick, LuckyMouse, Calypso and the Winnti Group," among others.

Like Hafnium, these other APT groups apparently are mostly using the zero-day flaws in Exchange Server to conduct espionage, dropping Webshells for the purpose. However, ESET's announcement included a timeline showing that these groups also were using the Exchange Server exploits days before Microsoft's March 2 patch release, as early as Feb. 28.

Based on its timeline, the new attacks being seen this week aren't happening because Microsoft's March 2 patches got reverse-engineered, according to ESET:

This [ESET chronology] suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

In other words, lots of attack groups knew about the Exchange Server zero-day flaws in advance of Microsoft's patch release and were conducting early attacks.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Vows To Ease European Cloud Infrastructure Burden

    Microsoft announced new revamps to its Microsoft Cloud Solution Provider partner program to pacify European regulators.

  • Citrix HDX Option Coming to Windows 365 Subscribers

    Citrix's "high-definition user experience" (HDX) technologies will be available as an option for Windows 365 desktop-as-a-service users, according to a joint announcement by Microsoft and Citrix.

  • Ransomware Report: Don't Pay the Attackers

    According to a recent report, paying the ransom for an organization's hijacked data doesn't ensure return of the stolen data.

  • Veeam Adding Intelligence to Microsoft 365 Backup Solution

    Backup and recovery giant and major Microsoft partner Veeam unveiled a raft of new features to its solution portfolio at its VeeamON conference this week.