Ongoing investigations into the active use of four Microsoft Exchange bugs has revealed attacks against US local government agencies.
On March 2, Microsoft warned that the current risk of zero-days – now tracked such as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – was being exploited by attackers in the wild.
If abused, the vulnerability can be used to access data of servers using the Exchange Server 2013, 2016, and 2019 software.
Microsoft has urged customers to immediately use the provided clips to address the risk, but as is often the case with zero-day disclosures, cyber attackers are quick to exploit them.
According to the FireEye team of the Mandiant Managed Defense cybersecurity team, a wave of attacks targeted at the United States violated Exchange security breaches.
Among the latest victims are local government agencies, an unnamed university, an engineering firm, and a host of vendors in the United States.
This month, one threatening character was seen using at least one crash to install a web shell on the Exchange Exchange server to “establish persistence and second access,” according to the group. In two cases, cyber attackers want to delete existing administrator accounts on Exchange servers.
Verified theft, compression of the release date, and the use of PowerShell to steal all email inboxes were also recorded. Agreement tools, Nishang, and PowerCat are used to maintain remote access.
Mandiant added that the compromise of two other organizations, the Southeast Asian government, and the Central Asian communications company, may be related to the campaign.
“The work we have seen, combined with others in the information security industry, shows that these threatening players are likely to use the Exchange Server’s vulnerability to gain access to the environment,” Mandiant said. “This work is immediately followed by additional access and persistent processes.”
Microsoft has previously reported attacks on Hafnium, a Chinese government-sponsored opposition group that threatens (APT). APT has been linked to earlier attacks on US defense firms, the legal profession, researchers, and think tanks.
Mandiant expects more collections of intrusions to emerge, a problem that could continue until the endangered servers are announced. Kaspersky says there is a high risk of data theft and theft.
Microsoft Exchange users are urged to update their software as soon as possible.
On issues related to this week, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive instructing government agencies to respond immediately to the vulnerability of Microsoft Exchange.