Tens of thousands of organisations have compromised computer systems after hacking groups used a flaw in Microsoft mail to break servers, experts claim.
The security holes in mail and calendars systems could make it vulnerable to industrial-scale cyber espionage, with some hackers linked to China.
At least ten different hacking groups are involved, according to cyber-security firm ESET, adding they were installing malware to open backdoors to email systems, allowing them to read emails or see contacts within that organisation with ease.
ESET said Exchange servers should be patched as soon as possible – even those not directly exposed to the internet should be upgraded to minimise the risk.
It doesn’t apply to the Microsoft Outlook or Mail client as the attack was on Exchange servers, primarily in large organisations – no company has been named.
At least 10 hacking groups are using a flaw in Microsoft’s email software to break in to targets around the world, cybersecurity experts claim
Warnings have been issued by authorities in the US and Europe about the weaknesses found in Microsoft’s Exchange software and the tech giant has issued a patch to close the vulnerability.
Microsoft released its patches for Exchange Server 2013, 2016 and 2019 in March that closed the holes that allowed the hackers to gain access to the machines.
The vulnerabilities being exploited allowed an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.
Unfortunately software updates can be slow to filter down, with firms not acting fast enough – leaving them open to attack, warned ESET.
One such attack was on the Norwegian Parliament, using vulnerabilities in Microsoft Exchange software.
‘The fact that hackers were able to breach Government systems shows just how far-reaching and serious these vulnerabilities are,’ said cyber-security expert for Check Point, Lotem Finkelstein.
“Check Point’s recent 2020 security report showed that 83% out of all attack vectors were email-based, and 87% of organisations have experienced an attempt to exploit an existing vulnerability,’ Finkelstein said.
‘The time-window between the discovery of a vulnerability and it being patched gives hackers the opportunity to launch these attacks.’
This is backed by research by ESET, who found a number of hacking groups had access to the vulnerability days before Microsoft announced the details and released the patch.
Experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.
ESET has identified more than 5,000 email servers that have been affected by malicious activity related to the incident.
The servers belong to organisations, businesses and governments from around the wolrd – including some very high profile groups.
Slovakia-based ESET said in a blog post issued on Wednesday there were already signs of cybercriminal exploitation.
One group that specialises in stealing computer resources can mine cryptocurrency breaking in to vulnerable servers to spread its malicious software.
‘The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,’ said says Matthieu Faou, ESET cyber-security researchers.
‘Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign,’ he said.
APT (Advances Persistent Threat) groups try to steal data, disrupt operations and even destroy infrastructure – over months or years rather than an immediate attack.
Several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2
They are often linked to or hired by an established nation state and regularly retarget the same victim over and over again, cyber-security experts explained.
‘However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,’ says Faou.
Some APT groups were exploiting the vulnerabilities even before the patches were released, meaning ‘we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,’ adds Faou.
ESET named 11 groups it said were taking advantage of the flaws to break in to targeted networks – several of which have researchers tied to China.
Several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2.
Faou said it was ‘very uncommon’ for so many different cyber espionage groups to have access to the same information before it is made public.
He speculated either the information ‘leaked’ ahead of the Microsoft announcement or was found by a third party that supplies information to cyber spies.
ESET said they found malicious programs or scripts allowing remote control of a server on more than 5,000 machines in over 115 countries.
‘It is now clearly beyond prime time to patch all Exchange servers as soon as possible,’ said Faou in a blog post for ESET.
‘Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity.
‘The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,’ advises Faou.