Exchange PoC Released and APTs Gather Around Vulnerable Servers Like Piranhas

Last updated June 10, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The situation with the Microsoft Exchange security lapse is unfolding a lot worse than what even the most pessimistic predictions could suggest, as literally everything is playing out badly. First of all, it took Microsoft a very long time to discover the flaws. Secondly, they spent two months after receiving a detailed report about the vulnerabilities before a patch was released. Thirdly, there are still hundreds of thousands of Exchange servers that remain unpatched and vulnerable.

Source: Forbes

To top all that, a Vietnamese hacker thought that now would be the ideal time to publish his Exchange exploit proof-of-concept code (PoC) on GitHub and explain the technical aspect in detail in a post on Medium. Even before hacking groups had that valuable PoC at their disposal, they were already flocking vulnerable systems, and ESET reports to have identified the activities of at least 10 APT groups launching mass-exploitation attacks since March 3, 2021.

Source: ESET

Obviously, sophisticated actors develop their own exploits, but the PoC could now open the door to less capable actors or non-specialized ransomware groups. Even for skillful hackers, the PoC could help them realize more entrance points. It was just very bad timing for this release, but there are no laws on ethics, so this is what everyone's dealing with right now.

KELA's threat analyst, Victoria Kivilevich told us:

We've been monitoring underground chatter about this and have noticed that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We've observed that not only are APT groups showing interest driven from an espionage motivation, BUT cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability. Please see below some example of chatter showing the interest of threat actors in various underground forums:

Source: KELA
Source: KELA

In the meantime, the number of organizations that are admitting huge-scale email data compromises grows exponentially by the day. In Germany, the national cybersecurity watchdog announced that as many as 60,000 computers were exposed to the flaw, 25,000 of which remain unpatched. In Norway, the parliament admitted that it had suffered a cyberattack where the actors exploited the recently disclosed Exchange flaws.

In the United States, the number of compromised entities is too big to even estimate right now, but CISA maintains that at least it doesn’t include any federal agencies.

We are clearly in the stage of widespread exploitation. At the same time, cybersecurity agencies are investigating, trying to figure out who may have been compromised and what could have been accessed. Exchange and SolarWinds were so close and so big that the same teams that were already overwhelmed investigating and coordinating the first incident response are now called to split their time and focus their attention on the new problem.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: