Hackers Are Swarming Microsoft Exchange

Hackers Are Swarming Microsoft Exchange
Photo: Jeenah Moon, Getty Images

Those Microsoft Exchange security flaws you may have heard about are really getting pummelled. If ever there was a time for cybersecurity reporters to trot out metaphors involving phrases like “blood in the water” and “deranged swarm of piranhas,” it might be right now.

At least 10 separate advanced persistent threat actors (a fancy term for well-organised hacker groups) are targeting the email product’s vulnerabilities, according to a recent report from security firm ESET. This is contrary to what Microsoft initially said, which is that the flaws were mainly being targeted by one group, a “state-sponsored” threat actor located in China that they are calling “HAFNIUM.”

Microsoft’s ‘Crazy Huge Hack,’ Explained

Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves...

Read more

Instead, ESET reports that Exchange is basically getting pillaged by close to a dozen different groups, all of which have names that sound like bad gamertags, including Tick, LuckyMouse, Calypso, Websiic, Winnti, TontoTeam, Mikroceen and DLTMiner. There are also apparently two other hacker groups that have not yet been identified. So, yeah, it’s a pretty big mess.

The hacking seems to have picked up directly after Microsoft released its patches, too, as ESET’s report states that “the day after the release of the patch” security researchers “started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse.”

A new report from security researchers with DomainTools has also thrown cold water on the idea that “HAFNIUM” is actually a hacker group associated with the Chinese government. So, on top of everything else, it’s not even clear who or what “HAFNIUM” is:

“While such a link [to the PRC] is certainly possible and has not been ruled out, as of this writing no conclusive evidence has emerged linking HAFNIUM operations to the People’s Republic of China (PRC). And HAFNIUM is also far from the only entity assessed to be targeting this vulnerability.”

Who is getting targeted? According to a warning from the FBI published Wednesday, it would appear the answer is: pretty much everybody.

Threat actors have targeted local governments, academic institutions, non-governmental organisations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defence, legal services, power utilities, and pharmaceutical.

The Latest Microsoft Hack Looks Like It Could Be Huge

Microsoft announced this week that another one of its email products, Exchange, had been compromised by a hacking campaign. This recent hack is actually totally unrelated to the “SolarWinds” one, in which Microsoft has also played an outsized role.

Read more

While the entities in the U.S. said to be affected number 30,000 or more, it’s so far been a slow trickle of disclosures — though local governments and small businesses are thought to be some of the more heavily targeted. On Wednesday, U.S. officials said that, so far, there is no evidence of federal executive agencies having been compromised by the attacks.