"WASHINGTON (Reuters) - At least 10 different hacking groups are using a recently discovered flaw in Microsoft Corp’s mail server software to break in to targets around the world, according to researchers at cybersecurity company ESET... Slovakia-based ESET said in a blog post issued on Wednesday there were already signs of cybercriminal exploitation, with one group that specializes in stealing computer resources to mine cryptocurrency breaking in to vulnerable Exchange servers to spread its malicious software... Intriguingly, several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2. ESET researcher Matthieu Faou...speculated that either the information 'somehow leaked' ahead of the Microsoft announcement or it was found by a third party that supplies vulnerability information to cyber spies..." https://www.reuters.com/article/us-...tware-flaw-researchers-idUSKBN2B224O?rpc=401&
"There’s a vexing mystery surrounding the 0-day attacks on Exchange servers A half-dozen groups exploiting the same 0-days is unusual, if not unprecedented. The Microsoft Exchange vulnerabilities that allow hackers to take over Microsoft Exchange servers are under attack by no fewer than 10 advanced hacking groups, six of which began exploiting them before Microsoft released a patch, researchers reported Wednesday. That raises a vexing mystery: how did so many separate threat actors have working exploits before the security flaws became publicly known?... The mystery is compounded by this: within a day of Microsoft issuing the patches, at least three more APTs joined the fray. A day later, another one was added to the mix. While it’s possible those four groups reverse engineered the fixes, developed weaponized exploits, and deployed them at scale, those types of activities usually take time. A 24-hour window is on the short side. There’s no clear explanation for the mass exploitation by so many different groups, leaving researchers few alternatives other than to speculate..." https://arstechnica.com/gadgets/202...hange-server-0-days-were-exploited-by-6-apts/
"Microsoft Probing Whether Leak Played Role in Suspected Chinese Hack Microsoft Corp. is investigating whether the hackers behind a world-wide cyberattack may have obtained sensitive information necessary to launch the attack from private disclosures it made with some of its security partners, according to people familiar with the matter... The investigation centers in part on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers... Investigators have focused on whether a Microsoft partner with whom it shared information about the bug hackers were exploiting leaked it to other groups, either inadvertently or on purpose... Some of the tools used in the second wave of the attack, which is believed to have begun on Feb. 28, bear similarities to “proof of concept” attack code that Microsoft distributed to antivirus companies and other security partners on Feb. 23... Microsoft and others have been reviewing an information-sharing program called the Microsoft Active Protections Program (Mapp), which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China..." https://www.wsj.com/articles/micros...ed-role-in-suspected-chinese-hack-11615575793
Exploitation of this vulnerability possibily occurred as early as Nov., 2020: https://arstechnica.com/gadgets/202...hange-server-0-days-were-exploited-by-6-apts/
BTW - Nextron has released a free version of their deep scan forensic scanner, Thor - Light, to scan for compromise indicators: https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite/ Note: free version on works for Exchange Server 2010+. For Exchange Server 2003 and 2008, you will have to pay for a legacy version they offer.
"Microsoft Probes Clue That Hackers Cracked Taiwan Research Microsoft Corp. is investigating whether hackers who attacked its email system exploited the findings of Taiwanese researchers who were the first to alert the software company to the vulnerabilities... DEVCORE, a small firm based in Taipei City that specializes in discovering computer security flaws, in December said it found bugs affecting Microsoft’s widely used Exchange business email software. Then in late February, Microsoft notified DEVCORE that it was close to releasing security patches to fix the problem... In the days after Microsoft disclosed its still secret patch to DEVCORE, attackers escalated their malicious activity on networks using Exchange servers... In late February, Microsoft notified DEVCORE that it was nearly ready to release the security patches. The same day, there was an increase in hacker activity... The researcher at DEVCORE who first found the security flaws in the exchange servers is goes by the name Orange Tsai. On Twitter, Tsai pointed out that the exploit used during the February attacks 'looks the same' as the one he created as a proof of concept and that DEVCORE reported to Microsoft. He said he had hard-coded the password “orange” into the malware..." https://www.bloombergquint.com/business/microsoft-probes-clue-that-hackers-cracked-taiwan-research
I would say think maybe a leak around late Dec.. Refer to this: https://www.domaintools.com/resourc...ge-exploitation-and-its-lessons-for-defenders . With a 0-day vulnerability like this selling for thousands of dollars on the dark web, the temptation might have been too great to resist.
Bleepingcomputer published an extensive current status on this vulnerability here: https://www.bleepingcomputer.com/ne...ange-hacks-how-they-started-and-where-we-are/ . The main thing to note and it's confirmed that this vulnerability was being exploited months prior to Mar., 2021: Of significance is exploiting was occurring prior to the POC being formally submitted to Microsoft. As such, it strongly points to someone at Devcore research, or associated with them, "leaking" the vulnerability. Even if only e-mails were plundered, the data gained from those could seriously compromise an organization.
With court order, FBI removes hundreds of Exchange Server web shells from US organizations https://www.cyberscoop.com/fbi-court-order-microsoft-exchange-server-web-shells/
"Cyber criminals are installing cryptojacking malware on unpatched Microsoft Exchange servers Cyber attackers are scanning the internet for vulnerable Microsoft Exchange servers they can exploit to mine for cryptocurrency... Cybersecurity researchers at Sophos have identified attackers attempting to take advantage of the Microsoft Exchange Server ProxyLogon exploit to secretly install a Monero cryptominer on Exchange servers... 'Server hardware is pretty desirable for cryptojacking because it usually has a higher performance than a desktop or laptop. Because the vulnerability permits the attackers to simply scan the whole internet for available, vulnerable machines, and then roll them into the network, it's basically free money rolling in for the attackers,' Andrew Brandt, principal threat researcher at Sophos, told ZDNet..." https://www.zdnet.com/article/free-...ware-on-unpatched-microsoft-exchange-servers/
A botnet named after Prometheus jumps is also exploiting Exchange Server flaws https://www.cyberscoop.com/prometei-botnet-exchange-server-cybereason/
Prometei Botnet Could Fire Up APT-Style Attacks https://threatpost.com/prometei-botnet-apt-attacks/165574/
Microsoft weighs revamping flaw disclosures after suspected leak https://techxplore.com/news/2021-04-microsoft-revamping-flaw-disclosures-leak.html
