Rewterz Threat Alert – 10 APT Groups Exploit Microsoft Exchange Security Flaws

Severity

High

Analysis Summary

A minimum of 10 APT (advanced persistent threat) groups have been actively exploiting the recent Microsoft Exchange security vulnerability. Patches for Exchange Server 2013, 2016, and 2019 were released in early March. However, ESET Research identified that 10 APT have compromised more than 5,000 Microsoft Exchange email servers in over 115 counties globally.

The patches fix a series of pre-authentication remote code execution (RCE) vulnerabilities. Thousands of companies have been hit in the past three days. It is hypothesized that the attackers discovered these vulnerabilities prior to the security researchers and began exploitation.

“This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates,” ESET researchers say.

The APT groups allegedly involved are Websiic, Tick, Calypso, DLTMiner, Mikroceen, Tonto Team, LuckyMouse, and Winnti. About five APT groups have been exploiting the four Exchange vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

To assist victims, Unit 221B has created a web-based service called Check My OWA – for Outlook Web Access or Outlook Web App – designed to help organizations identify whether their email systems were infected in the first wave of attacks.

Impact

Remote Code Execution

Affected Vendors

Microsoft

Affected Products

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

Remediation

Refer to the Rewterz threat Advisory for patches and mitigation techniques at https://rewterz.com/rewterz-news/rewterz-threat-advisory-microsoft-exchange-server-remote-code-execution-vulnerabilities