Go to listing page

Multiple APT Groups Now Targeting Microsoft Exchange Servers

Multiple APT Groups Now Targeting Microsoft Exchange Servers
Multiple state-sponsored hacking groups have been identified targeting tens of thousands of on-premise Exchange servers around the globe. These attacks are exploiting recently discovered severe vulnerabilities in Microsoft Exchange servers, tracked as ProxyLogon.

What has been discovered?

Microsoft's initial reports suggested that the Chinese APT group named Hafnium was exploiting ProxyLogon. Earlier this month, Microsoft had released patches for Exchange Server 2013, 2016, and 2019, which were impacted by this vulnerability.
  • Just after a day of the patch being released, several additional threat actors, including APT27, LuckyMouse, Calypso, and Winnti Group, were observed to be scanning and compromising Exchange servers.
  • ESET Research team had observed more than 5,000 unique servers in over 115 countries where web shells were flagged. Mostly these attacks are ongoing in the U.S., Germany, and the U.K.
  • Besides exploitation of these vulnerabilities, additional activities involved the use of hacking tools including ShadowPad, Opera Cobalt Strike loader, IIS backdoor, and DLTMiner.

A brief history

Microsoft was first notified in early January about these vulnerabilities when a security researcher identified two security flaws.
  • Security research firm Volexity had detected attacks leveraging these flaws on January 6, and it officially informed Microsoft on February 2.
  • Microsoft’s recent security updates fixed the vulnerability chain tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. 
  • However, multiple threat actors, including Hafnium had started exploiting vulnerabilities before the patch was released.


The rapid adoption of this new exploitation method by several APTs indicates that a large number of threat actors are eagerly waiting to leverage the critical vulnerabilities in popular products. Go patch your Microsoft Exchange servers before it’s late. Further, experts recommend removing web shells, changing credentials, and looking for malicious activity in case of potential infections.

Cyware Publisher