Hafnium’s cyberespionage campaign exploiting now-patched Exchange Server zero days morphed, in late February, into multiple campaigns conducted by both state-directed and criminal threat actors. France 24’s account of the incident bears out their headline: it’s become a “global crisis.”
Criminal interest in exploiting unpatched Exchange Servers continues unabated. Check Point says it’s observed attacks increase by an order of magnitude over the past week. KnowBe4 reports a similar rise in account impersonation attempts.
CISA has updated its advice on dealing with Microsoft Exchange Server exploitation to include notes on China Chopper webshells being used against victims. The UK’s National Cyber Security Centre (NCSC), like its counterparts in the US, Germany, and elsewhere, has urged all organizations, both public and private, to apply Microsoft’s patches as soon as possible. They also recommend that all organizations look for signs of compromise by threat actors, whether Chinese intelligence services or criminal gangs.
Microsoft itself continues to update guidance on protecting on-premise Exchange Servers from attacks. Yesterday the Microsoft Security Response…
