Microsoft's Exchange Server Security Problem Is Gaining Steam

The handful of Exchange Server zero-day flaws Microsoft announced earlier this month has snowballed into a much broader problem.

On March 2, Microsoft issued out-of-band security patches to address four zero-day Exchange Server flaws being exploited by an advanced persistent threat group (APT) it dubbed "Hafnium." The Hafnium group is thought to have used the four flaws in combination to carry out a widespread government and industry espionage campaign.

Microsoft is now warning that unpatched Exchange Servers are getting attacked to install ransomware dubbed "DearCry." This new ransomware apparently was first detected and reported by researcher Michael Gillespie at the ID-Ransomware Web site, per this Friday Kaspersky Threatpost article.

Since March 2, attacks on Exchange Server implementations worldwide have "tripled every two hours," according to a Thursday announcement by Check Point Software. Notably, the spike in activity seems to be coming from other attackers besides the Hafnium APT group because they aren't completing all of the attack steps.

"To date, hackers have yet to carry out the full chain of attack successfully," the Check Point researchers noted regarding these more recent Exchange Server attacks.

Other Attack Groups
Security researchers at ESET Research observed spikes in installed Webshells associated with the Exchange Server exploits since Microsoft's March 2 out-of-band patch release. These Webshells were detected on more than 5,000 servers, the researchers added in a Wednesday ESET announcement.

ESET named more than 10 other APT groups, excluding Hafnium, that were involved in the Exchange Server attacks. These groups have names such as "Tick, LuckyMouse, Calypso and the Winnti Group," among others.

Like Hafnium, these other APT groups apparently are mostly using the zero-day flaws in Exchange Server to conduct espionage, dropping Webshells for the purpose. However, ESET's announcement included a timeline showing that these groups also were using the Exchange Server exploits days before Microsoft's March 2 patch release, as early as Feb. 28.

Based on its timeline, the new attacks being seen this week aren't happening because Microsoft's March 2 patches got reverse-engineered, according to ESET:

This [ESET chronology] suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

In other words, lots of attack groups knew about the Exchange Server zero-day flaws in advance of Microsoft's patch release and were conducting early attacks.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.