At least ten hacking groups, some linked to China, use flaws in Microsoft mail to break servers

Tens of thousands of organisations have compromised computer systems after hacking groups used a flaw in Microsoft mail to break servers, experts claim. 

The security holes in mail and calendars systems could make it vulnerable to industrial-scale cyber espionage, with some hackers linked to China.

At least ten different hacking groups are involved, according to cyber-security firm ESET, adding they were installing malware to open backdoors to email systems, allowing them to read emails or see contacts within that organisation with ease.

ESET said Exchange servers should be patched as soon as possible – even those not directly exposed to the internet should be upgraded to minimise the risk.

It doesn’t apply to the Microsoft Outlook or Mail client as the attack was on Exchange servers, primarily in large organisations – no company has been named. 

At least 10 hacking groups are using a flaw in Microsoft’s email software to break in to targets around the world, cybersecurity experts claim


Tick – compromised the web server of a company based in East Asia that provides IT services. 

LuckyMouse – compromised the email server of a governmental entity in the Middle East. 

Calypso – compromised the email servers of governmental entities in the Middle East and in South America. 

Websiic – targeted seven email servers belonging to private companies in Asia and a governmental body in Eastern Europe. 

Winnti Group – compromised the email servers of an oil company and a construction equipment company in Asia. 

Tonto Team – compromised the email servers of a procurement company and of a consulting company specialised in software development and cybersecurity, both based in Eastern Europe.

ShadowPad activity – compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. 

The “Opera” Cobalt Strike – targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.

IIS backdoors – ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. 

Mikroceen – compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.

DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities.  

Warnings have been issued by authorities in the US and Europe about the weaknesses found in Microsoft’s Exchange software and the tech giant has issued a patch to close the vulnerability.

Microsoft released its patches for Exchange Server 2013, 2016 and 2019 in March that closed the holes that allowed the hackers to gain access to the machines.

The vulnerabilities being exploited allowed an attacker to take over any reachable Exchange server, without the need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable. 

Unfortunately software updates can be slow to filter down, with firms not acting fast enough – leaving them open to attack, warned ESET.

One such attack was on the Norwegian Parliament, using vulnerabilities in Microsoft Exchange software. 

‘The fact that hackers were able to breach Government systems shows just how far-reaching and serious these vulnerabilities are,’ said cyber-security expert for Check Point, Lotem Finkelstein.

“Check Point’s recent 2020 security report showed that 83% out of all attack vectors were email-based, and 87% of organisations have experienced an attempt to exploit an existing vulnerability,’ Finkelstein said. 

‘The time-window between the discovery of a vulnerability and it being patched gives hackers the opportunity to launch these attacks.’

This is backed by research by ESET, who found a number of hacking groups had access to the vulnerability days before Microsoft announced the details and released the patch. 

Experts are concerned about the prospect of ransom-seeking cybercriminals taking advantage of the flaws because it could lead to widespread disruption.

ESET has identified more than 5,000 email servers that have been affected by malicious activity related to the incident.

The servers belong to organisations, businesses and governments from around the wolrd – including some very high profile groups.

Slovakia-based ESET said in a blog post issued on Wednesday there were already signs of cybercriminal exploitation.

One group that specialises in stealing computer resources can mine cryptocurrency breaking in to vulnerable servers to spread its malicious software.

‘The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse,’ said says Matthieu Faou, ESET cyber-security researchers.

‘Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign,’ he said.

APT (Advances Persistent Threat) groups try to steal data, disrupt operations and even destroy infrastructure – over months or years rather than an immediate attack. 

Several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2

Several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2


APT – Advanced Persistent Threat – groups are cyber criminals that effectively work to order.

They will take direction from a large organisation or nation state and attack a single target over months or years.

Methods are similar to normal cyber-criminals including exploiting vulnerabilities to steal date or cause disruption.

However, they work over a period of time and will target a single organisation, attacking them repeatedly over a period of time.

Attacks are carefully planned to infiltrate the organisation and fly under the radar. 

Sometimes they are directly employed by a nation state, others are sponsored by a nation state. 

They are often linked to or hired by an established nation state and regularly retarget the same victim over and over again, cyber-security experts explained.

‘However, it is inevitable that more and more threat actors, including ransomware operators, will have access to the exploits sooner or later,’ says Faou.

Some APT groups were exploiting the vulnerabilities even before the patches were released, meaning ‘we can discard the possibility that those groups built an exploit by reverse engineering Microsoft updates,’ adds Faou. 

ESET named 11 groups it said were taking advantage of the flaws to break in to targeted networks – several of which have researchers tied to China. 

Several of the groups appeared to know about the vulnerability before it was announced by Microsoft on March 2.

Faou said it was ‘very uncommon’ for so many different cyber espionage groups to have access to the same information before it is made public.

He speculated either the information ‘leaked’ ahead of the Microsoft announcement or was found by a third party that supplies information to cyber spies.

ESET said they found malicious programs or scripts allowing remote control of a server on more than 5,000 machines in over 115 countries.

‘It is now clearly beyond prime time to patch all Exchange servers as soon as possible,’ said Faou in a blog post for ESET

‘Even those not directly exposed to the internet should be patched. In case of compromise, admins should remove the webshells, change credentials and investigate for any additional malicious activity. 

‘The incident is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be open to the internet,’ advises Faou.


Phishing involves cyber-criminals attempting to steal personal information such as online passwords, bank details or money from an unsuspecting victim. 

Very often, the criminal will use an email, phone call or even a fake website pretending to be from a reputable company. 

The criminals can use personal details to complete profiles on a victim which can be sold on the dark web. 

Cyber criminals will use emails in an effort to elicit personal information from victims in order to commit fraud or infect the user's computer for nefarious purposes 

Cyber criminals will use emails in an effort to elicit personal information from victims in order to commit fraud or infect the user’s computer for nefarious purposes 

Some phishing attempts involve criminals sending out infected files in emails in order to take control of a victim’s computer.   

Any from of social media or electronic communication can form part of a phishing attempt. 

Action Fraud warn that you should never assume an incoming message is from a genuine company – especially if it asks for a payment or wants you to log on to an online account. 

Banks and other financial institutions will never email looking for passwords or other sensitive information. 

An effected spam filter should protect from most of the malicious messages, although the user should never call the number at the bottom of a suspicious email or follow their link. 

Experts advise that customers should call the organisation directly to see if the attempted communication was genuine.  

According to Action Fraud: ‘Phishing emails encourage you to visit the bogus websites. 

‘They usually come with an important-sounding excuse for you to act on the email, such as telling you your bank details have been compromised, or claim they’re from a business or agency and you’re entitled to a refund, rebate, reward or discount.

‘The email tells you to follow a link to enter crucial information such as login details, personal information, bank account details or anything else that can be used to defraud you.

‘Alternatively, the phishing email may try to encourage you to download an attachment. The email claims it’s something useful, such as a coupon to be used for a discount, a form to fill in to claim a tax rebate, or a piece of software to add security to your phone or computer. 

‘In reality, it’s a virus that infects your phone or computer with malware, which is designed to steal any personal or banking details you’ve saved or hold your device to ransom to get you to pay a fee.’ 

Source: Action Fraud