Security company ESET is now tracking 10 different threat groups or otherwise unique clusters of breaches that have used a chain of vulnerabilities Microsoft patched in Exchange Server last week.

When Microsoft patched the vulnerabilities, the company attributed attacks in the wild to a single actor it dubbed Hafnium, which Microsoft believes is a Chinese state-sponsored group. Since the patch was issued, researchers have identified other groups starting to take advantage of the same vulnerabilities in still-unpatched systems.

ESET's taxonomy of advanced persistent threats using the vulnerabilities is both the most extensive and the first to attribute the attacks to known actors. Interestingly, ESET finds that several groups were using the vulnerabilities in the waning days before the patch.

Nearly all the known groups identified by ESET are nation state or state-sponsored actors; ESET writes in its blog post that only one cluster of activity, a cryptocurrency miner, appears to be from a criminal group. All the previously identified and attributed APTs in the report have either been attributed to the Chinese government in the past or, in one case, to a Chinese-speaking actor in Asia.

The wide variety of potentially-uncoordinated actors may explain why several servers saw multiple web shell installations.

Before the patch was announced, ESET discovered the groups Tick (also known as Bronze Butler), LuckyMouse (also known as APT 27 and Emissary Panda), and Calypso all took advantage of the vulnerability chain. Tick and LuckyMouse have been widely attributed by vendors to China, while Calypso has been attributed to the Asia region by PT Security and is known to speak Chinese.

ESET found Tick breached the systems of an East Asian IT provider on Feb. 28, dropping a Delphi backdoor. LuckyMouse compromised a government system in the Middle East on March 1, using NBScan, ReGourge, and Soldier. Calypso targeted servers in the Middle East and South America using variants of PlugX and Mimikatz.

ESET notes that the groups who used the vulnerabilities before the patch was announced by definition would have known of the vulnerabilities before they were publicized.

A couple other noted instances:

  • Starting on March 2, the day Microsoft announced the patch, the Winnti Group, also widely believed to be from China, targeted East Asian oil and construction companies using PlugX RAT and infrastructure that the group used in previous attacks.
  • Tonto Group, another group widely attributed to China, began using the vulnerabilities on March 3, targeting an Eastern European "consulting company specialized in software development and cybersecurity" and a procurement firm, using ShadowPad malware used by several Chinese groups.
  • Mikroceen, yet another group widely attributed to China began using the vulnerability chain on March 4.
  • ESET identified an additional cluster of ShadowPad activity that doesn't match other campaigns starting on March 3. On the same date, servers in South America were struck by a cluster of IIS-Backdoor breaches.
  • A group using the DLTMiner, possibly hijacking APT's web shells, appeared on March 5.

In its blog post, ESET reiterates Microsoft's advice since the initial announcement.

"It is now clearly beyond prime time to patch all Exchange servers as soon as possible," ESET writes.