December 9, 2023

Earlier in the month of March , we have discussed on the Exchange exploits that are actively exploited by threat actors, this post is a continuation of the Previous Exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 which were exploited by at least 10 APT groups.

The earliest exploitation of ProxyLogon (vulnerability CVE-2021- 26855) happened on January 3 by an APT group known as Hafnium. Two months after, another APT group, known as Tick, started to exploit the vulnerability. On March 1, three new groups – LuckyMouse, Calypso, and Websiic – started exploiting the vulnerability. 

Again, the day after, the Winnti group started to exploit this vulnerability. It was just a few hours before Microsoft released a patch for Exchange. It means threat actors actively scanning the Exchange Servers to attack.

Two days after the patch was released, Shodan published statistics, showing that more than 250k servers were vulnerable.

Due to the ongoing mass exploitation and mass scanning, it is likely that most of them have been compromised. The fact that this vulnerability did not require any valid credentials allowed attackers to perform mass scanning and to compromise very quickly most of the unpatched servers.


Tick, was the first APT group that researchers have seen exploiting the vulnerability. Its a cyber espionage group with Chinese origin. On February 28th, they compromised the mail server of an IT company based in East Asia. 


LuckyMouse, also known as Emissary Panda or APT 27, starting to exploit the vulnerability. LuckyMouse is a Chinese cyber espionage group, active at least since 2010. This APT group is known for having breached the ICAO and governments in the Middle East. They have good technical capabilities. Their arsenal includes complex backdoors and a rootkit.


Calypso that compromised the email servers of government entities in the Middle East and South America. In the following days, Calypso also targeted servers of government entities and private companies in Africa, Asia, and Europe. Calypso is a suspected Chinese cyber espionage group, which was first documented by a global provider of enterprise security solutions for vulnerability and compliance management company Positive Technology in 2019.


Websiic targeted several email servers belonging to private IT, telecommunications, and engineering companies in Asia, they also targeted public bodies in Eastern Europe. It is a cyber espionage group. Researchers have not tied Websiic to any known threat actor.

Winnti group

On March 2, a few hours before the release of the patch, they compromised the email server of two companies based in East Asia. It is a cyber espionage group that has been active at least since 2012. They are responsible for high-profile supply chain attacks leading to compromised software, including CCleaner, Asus, and multiple video games. They target a wide range of verticals, including the chemical and pharmaceutical industry, and the education sector.


One day after the release of the patch by Microsoft, the Tonto team compromised the email servers of companies based in Eastern Europe It is a cyber espionage group, and, like Tick, it is pretty old. They mostly target governments and institutions in Russia, Japan, and Mongolia.


On March 3, researchers observed the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East, where ShadowPad was dropped by an attacker, and that they were not able to conclusively attribute to any known groups. ShadowPad is a modular one now used by at least five additional groups: Tick, Tonto Team, KeyBoy, IceFog, and TA428.

The “Opera” Cobalt Strike

Researchers noticed that another set of malicious activities had started. At this point, they don’t know if these threat actors had access to the exploit beforehand or reverse-engineered the patch.From March 3 until March 5, this activity targeting around 650 servers, mostly in the US, Germany, the UK, and other European countries.


The Mikroceen APT group, also known as Vicious Panda, is a threat actor operating since at least 2017. Mikroceen APT group that compromised the Exchange server of a utility company in Central Asia. It is a cyber espionage group that targets mostly Central Asia.


On March 5, The deployment of PowerShell downloaders on multiple email servers that were previously targeted using these Exchange vulnerabilities. Contrary to other groups, DLTMiner is a financially motivated group. It is also known as Sapphire pigeon.


Multiple adversaries have compromised networks prior to patches being applied. And if you apply a patch, your system may still be compromised, the adversary can still be inside of your network, still be able to utilize you to attack others and disrupt your operations. So companies, even those that have applied patches, should make sure that their systems are not breached. 

We have an Exchange Zero day published during recent May 2021 patch Tuesday. Patch it immediately to escape from invaders.

1 thought on “Exchange Exploit on APT Radar

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.