Those Microsoft Exchange security flaws you are really getting pummeled. If ever there was a time for cybersecurity reporters to trot out metaphors involving phrases like “blood in the water” and maybe “deranged swarm of piranhas,” it might be right now.
At least 10 separate advanced persistent threat actors (a fancy term for well-organized hacker groups) are targeting the email product’s vulnerabilities, according to security firm ESET. This is contrary to what Microsoft initially said, which is that the flaws were mainly being targeted by one group, a “state-sponsored” threat actor located in China that they are calling “HAFNIUM.”
Instead, ESET reports that Exchange is basically getting pillaged by close to a dozen different groups, all of which have names that sound like bad gamertags, including Tick, LuckyMouse, Calypso, Websiic, Winnti, TontoTeam, Mikroceen and DLTMiner. There are also apparently two other hacker groups that have not yet been identified. So, yeah, it’s a pretty big mess.
The hacking seems to have picked up directly after Microsoft released its patches, too, as ESET’s report states that “the day after the release of the patch” security researchers “started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse.”
A security researchers with DomainTools has also thrown cold water on the idea that “HAFNIUM” is actually a hacker group associated with the Chinese government. So, on top of everything else, it’s not even clear who or what “HAFNIUM” is:
“While such a link [to the PRC] is certainly possible and has not been ruled out, as of this writing no conclusive evidence has emerged linking HAFNIUM operations to the People’s Republic of China (PRC). And HAFNIUM is also far from the only entity assessed to be targeting this vulnerability.”
Who is getting targeted? According to a from the FBI published Wednesday, it would appear the answer is: pretty much everybody.
Threat actors have targeted local governments, academic institutions, non-governmental organizations, and business entities in multiple industry sectors, including agriculture, biotechnology, aerospace, defense, legal services, power utilities, and pharmaceutical.
While the entities in the U.S. said to be affected number 30,000 or more, it’s so far been a slow trickle of disclosures—though local governments and small businesses some of the more heavily targeted. On Wednesday, U.S. officials , so far, there is no evidence of federal executive agencies having been compromised by the attacks.