Four zero-day vulnerabilities (known but unpatched vulnerabilities) in Microsoft Exchange Server are being deliberately exploited by a threat group and appear to have been adopted by other cybercriminals in widespread attacks, according to security firm ESET.
ESET published an alarming report Wednesday, which states that at least 11 separate hacker groups have been exploiting the flaws. "It's obviously past prime time to patch all Exchange servers as quickly as possible," the company wrote.
The threat affects mainly companies and government agencies that use Microsoft Exchange to handle emails.
Last week, Microsoft identified four previously undisclosed software flaws that could pave the way for remote takeover of the affected server. At the time, the company's Redmond HQ only mentioned that one actor, a Chinese state-sponsored hacking community called "Hafnium," had been exploiting vulnerabilities to steal emails from US-based customers since at least early January.
But according to ESET, Hafnium is not the only party to exploit the flaws. Using its antivirus program, the company's security analysts discovered evidence that three other cyber-espionage hacking groups were already exploiting vulnerabilities days before Microsoft disclosed the threat.
After Microsoft patches, other hacker groups joined the exploit. The groups include Winnti, who's been blamed for infiltrating Avast's CCleaner and PC vendor Asus to distribute malware to software programs used by millions of consumers.
To monitor the attacks, ESET has been searching for servers that have been reconfigured with malicious web shells that can allow remote hackers access to the system.
However, the ESET analysis catches only a subset of the exploitation. Security writer Brian Krebs revealed last week that authorities suspect that at least 30,000 U.S. companies have been hacked through vulnerabilities in the Microsoft Exchange program. In some cases, the victimized servers were infested with multiple backdoors.
ESET is now advising that it will only be a matter of time before hacker groups, such as ransomware operators, begin exploiting vulnerabilities to hold data hostage.
Microsoft itself has warned that "multiple groups" are now taking advantage of the vulnerabilities. In response, the company released a number of communications with guidance about how to patch and secure Exchange servers from exploitation.
