On March 2, 2021, several companies releasedreports about in-the-wild exploitation of several zero-day vulnerabilities in Microsoft Exchange Server, leading to arbitrary code execution within the Exchange Server context and full access to the email accounts on the server. While the patch has already been released by Microsoft, Kaspersky researchers are witnessing an active growth of attacks attempting to exploit these vulnerabilities, with organisations in Europe and the USA being hit the most.
Since the beginning of March 2021, Kaspersky detected related attacks on over 1200 users with this number continually growing. The largest number (26.93%) of users targeted was based in Germany. Italy, Austria and Switzerland and the US are among other top countries that were hit the most.
% of users
Share of users attacked in relation to the new Microsoft Exchange Server vulnerabilities according to Kaspersky telemetry, March 2021
“From the beginning, we anticipated that attempts to exploit these vulnerabilities will increase rapidly, and this is exactly what we are seeing now – so far we have detected such attacks in over a hundred countries essentially in every part of the world. Due to the nature of these vulnerabilities, numerous organisations are at risk. Even though the initial attacks may have been targeted, there is no reason for actors to not try their luck by attacking essentially any organisation that runs a vulnerable server. These attacks are associated with a high risk of data theft or even ransomware attacks, and, therefore, organisations need to take protective measures as soon as possible”, comments Anton Ivanov, VP Threat Research at Kaspersky.
Kaspersky products detect the threat and protect against the recently discovered Microsoft Exchange Server vulnerabilities using different technologies, including Behavior Detection and Exploit Prevention components. Kaspersky detects the exploitation and related artifacts with the following detection names:
Learn more about the attacks exploiting Microsoft Exchange Server vulnerabilities on Securelist.
To protect against attacks exploiting the aforementioned vulnerability, Kaspersky recommends the following: