New Hacker Groups Target Microsoft Email Severs

4 New Hacker Groups Target Microsoft Email Servers

( 3 min read )

After the focused attacks on Microsoft email servers by alleged state-sponsored hacking groups (known popularly as the Hafnium group), other hacking groups are now joining the party. These groups are bent on exploiting flaws and vulnerabilities in Microsoft email servers. The results of these directed hacking efforts on Microsoft’s email solution architecture are projected to be disastrous to public and private organizations the world over.

How the attacks on Microsoft email servers began

The first group to kickstart these attack campaigns against Microsoft solutions was the Chinese Hafnium group. They took advantage of security gaps in the architecture to illegally access sensitive data and leave behind backdoor opportunities for other more dangerous malware to enter the compromised system.

It’s hard to imagine cyber criminals gossiping at a tea-party but word does get around fast in the cyber world. Once knowledge began to spread that there were vulnerabilities in Microsoft email servers, it became an open invitation to other hacker groups to try their luck.

What new threats do Microsoft email servers face now?

“There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,” says Katie Nickels, leader of an intelligence team at a cybersecurity firm. A cluster in the cybersecurity context means grouped hacking activity with similar signatures which are hidden in the hackers’ techniques, tricks, method of operation etc.

Of the five, Microsoft believes the Hafnium group is the most sophisticated and most dangerous threat actor. They are the pioneers of the targeted efforts against Microsoft email solutions.

Following at Hafnium’s heel are at least 4 new hacker groups. Their identity, intentions, and method of entry is still ambiguous. Katie Nickels explained how the Hafnium group could have sold their backdoor accounts at a hefty price, or shared their malicious code which could bypass the security measures in place. It could also be possible these new hacker groups could’ve studied the Hafnium activity and worked backwards to find out how they were able to breach Microsoft email servers.

“The challenge is that this is all so murky and there is so much overlap,” says Nickels. “What we’ve seen is that from when Microsoft published about Hafnium, it’s expanded beyond just Hafnium. We’ve seen activity that looks different from tactics, techniques, and procedures from what they reported on.”

Why backdoor accounts pose a serious threat

Through vulnerabilities in Microsoft Exchange servers – which Microsoft’s customers extend as their own email service – hackers can and did create a web shell, a remote hacking tool that enables backdoor access and total control of the victim machine. Web shells allow hackers to manipulate the infected server machine remotely over the internet and then steal data from not only the particular machine but throughout the machine’s network. The web shell persists through Microsoft’s patch to fix the vulnerabilities, meaning that if even if you update your Microsoft Exchange email server, the re-entry of malware remains an ever-present threat.

Possible preventive measures against email attacks

Microsoft, with crucial urgency, instructs its users to update to the latest Exchange versions ASAP. But the web shells complicate things further and call for a thorough investigation and clean-up of several victims’ networks before they can breathe easy again.

The countermeasure that works best is to keep such attacks away in the first place. You can do that with bulletproof email gateway protection services which stop email threats at the entry level itself. Yes, Microsoft has its own security mechanisms in place, but as has now become evident, nothing is impregnable. Add an additional layer of security to your email. One of the tools that help you protect your email is the Logix Cloud Email ATP solution. Amongst several other modern features, a useful feature we provide is protection against zero-day attacks. Become less susceptible to cyber-attacks due to an older server patch and protect your email thoroughly.

Leave a Reply

Your email address will not be published. Required fields are marked *