Architecture, Application Security, Strategy, Vulnerability management, Threat intelligence

10 groups now targeting Hafnium Microsoft Exchange vulnerabilities

March 10, 2021
The Visitor's Center at Microsoft Headquarters campus in Redmond, Washington. Ten different threat groups or otherwise unique clusters of breaches have used a chain of vulnerabilities Microsoft patched in Exchange Server. (Stephen Brashear/Getty Images)
  • Starting on March 2, the day Microsoft announced the patch, the Winnti Group, also widely believed to be from China, targeted East Asian oil and construction companies using PlugX RAT and infrastructure that the group used in previous attacks.
  • Tonto Group, another group widely attributed to China, began using the vulnerabilities on March 3, targeting an Eastern European "consulting company specialized in software development and cybersecurity" and a procurement firm, using ShadowPad malware used by several Chinese groups.
  • Mikroceen, yet another group widely attributed to China began using the vulnerability chain on March 4.
  • ESET identified an additional cluster of ShadowPad activity that doesn't match other campaigns starting on March 3. On the same date, servers in South America were struck by a cluster of IIS-Backdoor breaches.
  • A group using the DLTMiner, possibly hijacking APT's web shells, appeared on March 5.
prestitial ad