Percentage of webshells detected by country

Thousands of email servers under siege The number is growing

ESET Research found that more than ten different APT groups ( persistent threat) are exploiting its recent vulnerabilities microsoft Exchange to violate email servers.

ESET identified more than 5.000 email servers affected by malicious activity related to the incident. The servers belong to organizations - businesses and governments - from all over the world.

Beginning of March, Microsoft has released updates (patches) for Exchange Server 2013, 2016 and 2019 that fix a number of Remote Code Execution (RCE) vulnerabilities.

The vulnerabilities allow an attacker to gain control of any accessible Exchange server without needing account credentials, making Exchange servers connected to the particularly vulnerable.

“The day after the updates were released, we started noticing a lot υς παράγοντες να σαρώνουν και να επιτίθενται μαζικά σε Exchange servers. Είναι ενδιαφέρον ότι όλοι είναι ομάδες APT που επικεντρώνονται στην κατασκοπεία, εκτός από έναν που φαίνεται να σχετίζεται με μια γνωστή εκστρατεία εξόρυξης κρυπτονομισμάτων. Ωστόσο, είναι αναπόφευκτο ότι αργά ή γρήγορα όλο και περισσότεροι κυβερνοεγκληματίες, συμπεριλαμβανομένων και διαχειριστών ransomware, θα εκμεταλλευθούν τις ευπάθειες”, λέει ο Matthieu Faou, ο οποίος ηγείται της ερευνητικής προσπάθειας της ESET.

ESET researchers observed that some APT groups exploited vulnerabilities before the release of the updates. "Which means we can rule out the possibility that these groups created a reverse engineering exploit based on Microsoft updates," Faou added.

ESET Telemetry has identified the presence of webshells (malware or scripts that allow remote control of a server via a web browser) on more than 5.000 servers in more than 115 countries.

Percentage of webshells detected by country

ESET has identified more than ten different cybercriminal groups that have likely exploited recent Microsoft Exchange vulnerabilities to install malware such as webshells and on victims' email servers. In some cases, different groups target the same organization.

The APT teams are: Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad activity, The “Opera” Cobalt Strike, IIS backdoors, Mikroceen and DLTMiner

“It is now clear that we need to update all Exchange servers as soon as possible. Even those who are not directly connected to the internet. In the event of a breach, administrators should remove webshells, change credentials, and investigate any additional malicious activity. This incident is a very good opportunity to remember that complex like Microsoft Exchange or SharePoint should not be open to the internet," advises Faou.

For more technical details on attacks that take advantage of recent Exchange vulnerabilities, read the blogpost “Exchange servers under siege from at least 10 APT groups”At WeLiveSecurity.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).