Security News > 2021 > March > At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET. On March 2, Microsoft announced patches for four bugs that were part of a pre-authentication remote code execution attack chain already being exploited in the wild.

Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad, Mikroceen, and DLTMiner.

"On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch," ESET notes.

Immediately after the patches were released, the researchers noticed a spike in attacks, with adversaries "Scanning and compromising Exchange servers en masse." Overall, more than 10 different threat actors are currently abusing the RCE exploit chain to install implants on vulnerable servers.

"Once the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization," ESET says.

On Wednesday, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a joint advisory on the compromise of Exchange servers, noting that both state-sponsored actors and cybercriminals are targeting the zero-day flaws.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/yIoyoBkw9sw/least-10-threat-actors-targeting-recent-microsoft-exchange-vulnerabilities