Exchange PoC Released and APTs Gather Around Vulnerable Servers Like Piranhas

  • As if the situation wasn’t dramatic already, someone has released a PoC to exploit vulnerable Exchange servers.
  • Already, there were at least 10 APTs that have been massively exploiting email servers for over a week now.
  • The recently released patches are yet to be applied by hundreds of thousands of systems that remain vulnerable.

The situation with the Microsoft Exchange security lapse is unfolding a lot worse than what even the most pessimistic predictions could suggest, as literally everything is playing out badly. First of all, it took Microsoft a very long time to discover the flaws. Secondly, they spent two months after receiving a detailed report about the vulnerabilities before a patch was released. Thirdly, there are still hundreds of thousands of Exchange servers that remain unpatched and vulnerable.

Source: Forbes

To top all that, a Vietnamese hacker thought that now would be the ideal time to publish his Exchange exploit proof-of-concept code (PoC) on GitHub and explain the technical aspect in detail in a post on Medium. Even before hacking groups had that valuable PoC at their disposal, they were already flocking vulnerable systems, and ESET reports to have identified the activities of at least 10 APT groups launching mass-exploitation attacks since March 3, 2021.

Source: ESET

Obviously, sophisticated actors develop their own exploits, but the PoC could now open the door to less capable actors or non-specialized ransomware groups. Even for skillful hackers, the PoC could help them realize more entrance points. It was just very bad timing for this release, but there are no laws on ethics, so this is what everyone's dealing with right now.

KELA's threat analyst, Victoria Kivilevich told us:

We've been monitoring underground chatter about this and have noticed that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We've observed that not only are APT groups showing interest driven from an espionage motivation, BUT cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability. Please see below some example of chatter showing the interest of threat actors in various underground forums:

Source: KELA
Source: KELA

In the meantime, the number of organizations that are admitting huge-scale email data compromises grows exponentially by the day. In Germany, the national cybersecurity watchdog announced that as many as 60,000 computers were exposed to the flaw, 25,000 of which remain unpatched. In Norway, the parliament admitted that it had suffered a cyberattack where the actors exploited the recently disclosed Exchange flaws.

In the United States, the number of compromised entities is too big to even estimate right now, but CISA maintains that at least it doesn’t include any federal agencies.

We are clearly in the stage of widespread exploitation. At the same time, cybersecurity agencies are investigating, trying to figure out who may have been compromised and what could have been accessed. Exchange and SolarWinds were so close and so big that the same teams that were already overwhelmed investigating and coordinating the first incident response are now called to split their time and focus their attention on the new problem.

How to Watch Welcome to Flatch Season 2 Online From Anywhere
Welcome to Flatch is landing a new season soon, and we are happy to tell you it's super easy to stream online,...
How to Watch CSI: Vegas Season 2 Online From Anywhere
There is great excitement among CSI fans worldwide as CSI: Vegas Season 2 is finally set to premiere soon. After the success...
How to Watch Hell’s Kitchen Season 21 Online From Anywhere
Are you ready to get back into Hell's Kitchen? Gordon Ramsay is returning for the 21st season on Fox, and we're eager...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari