Microsoft's Exchange Server Security Problem Is Gaining Steam

The handful of Exchange Server zero-day flaws Microsoft announced earlier this month has snowballed into a much broader problem.

On March 2, Microsoft issued out-of-band security patches to address four zero-day Exchange Server flaws being exploited by an advanced persistent threat group (APT) it dubbed "Hafnium." The Hafnium group is thought to have used the four flaws in combination to carry out a widespread government and industry espionage campaign.

Microsoft is now warning that unpatched Exchange Servers are getting attacked to install ransomware dubbed "DearCry." This new ransomware apparently was first detected and reported by researcher Michael Gillespie at the ID-Ransomware Web site, per this Friday Kaspersky Threatpost article.

Since March 2, attacks on Exchange Server implementations worldwide have "tripled every two hours," according to a Thursday announcement by Check Point Software. Notably, the spike in activity seems to be coming from other attackers besides the Hafnium APT group because they aren't completing all of the attack steps.

"To date, hackers have yet to carry out the full chain of attack successfully," the Check Point researchers noted regarding these more recent Exchange Server attacks.

Other Attack Groups
Security researchers at ESET Research observed spikes in installed Webshells associated with the Exchange Server exploits since Microsoft's March 2 out-of-band patch release. These Webshells were detected on more than 5,000 servers, the researchers added in a Wednesday ESET announcement.

ESET named more than 10 other APT groups, excluding Hafnium, that were involved in the Exchange Server attacks. These groups have names such as "Tick, LuckyMouse, Calypso and the Winnti Group," among others.

Like Hafnium, these other APT groups apparently are mostly using the zero-day flaws in Exchange Server to conduct espionage, dropping Webshells for the purpose. However, ESET's announcement included a timeline showing that these groups also were using the Exchange Server exploits days before Microsoft's March 2 patch release, as early as Feb. 28.

Based on its timeline, the new attacks being seen this week aren't happening because Microsoft's March 2 patches got reverse-engineered, according to ESET:

This [ESET chronology] suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

In other words, lots of attack groups knew about the Exchange Server zero-day flaws in advance of Microsoft's patch release and were conducting early attacks.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • Microsoft Expands Copilots with Finance and OneDrive Additions

    New Microsoft Copilot generative artificial intelligence products and capabilities were described this week.

  • Microsoft Surface Hub 2S OS Upgrades Available

    Microsoft Surface Hub 2S users can now upgrade those devices to run the Teams Rooms on Windows operating system at no extra cost.

  • Windows 11 Upgrade Prompts Coming in April

    Microsoft plans to issue messages to Windows users in April, prodding them to upgrade to Windows 11 version 23H2.