Just five minutes after Microsoft made public last March a security problem between your Exchange Server systems, a report has been able to verify that a large group of cybercriminals managed to "scan" the situation to get to know possible targets.
The Palo Alto Networks report "2021 Cortex Xpanse Attack Surface Threat Report" analyzed various threats between January and March of this year and thus was able to verify the great interest that the error aroused among cybercriminals from the Redmond firm.
It should be remembered that an attack on Microsoft Exchange Server was made public in March. According to reports, a group of hackers in China, Hafnium, was attacking servers in different countries of the world through this Redmond brand software. It affects Exchange Server between its versions 2013 to 2019. A few days later, Microsoft publicly released the patch.
Interest in vulnerabilities in widely adopted software
According to Palo Alto researchers, when critical vulnerabilities in widely adopted software are made public, it can spark a race between attackers and IT administrators. The first to find suitable targets, "especially when proof-of-concept (PoC) code is available or the bug seems easy to exploit." And for their part, and the IT staff to perform risk assessments and implement the necessary patches.
The report points out that, in particular, when we talk about zero-day or zero-day vulnerabilities, it is recorded on average that just 15 minutes after the problem became known, there are attackers who already have a general scan how is the situation.
However, the Palo Alto researchers claim that attackers "worked faster" for Microsoft Exchange, and the scans were accomplished in just five minutes.
An attack that continues to speak
In March, Microsoft warned that hackers from China took advantage of a crash in their Exchange Server system, intended for companies, to be able to access their emails, contact lists and that could also install malware.
According to information provided by Microsoft, Hafnium is primarily aimed at entities in the United States (but also from other countries) in order to access information from various industrial sectors, such as infectious disease researchers, law firms, higher education institutions, defense contractors, political think tanks and NGOs.
Although Hafnium is based in China, it operates mainly from virtual private servers (VPS) rented in the United States. A few days ago, Cisco Talos discovered that there is an attack that it could be taking advantage of weaknesses in Windows Exchange Server since last April.
Lemon Duck, which is a botnet that had already been discovered in March taking advantage of vulnerable servers and using these systems to mine cryptocurrencies (a technique also known as cryptojacking).