Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

More Hacking Groups Join Microsoft Exchange Attack Frenzy

More Hacking Groups Join Microsoft Exchange Attack Frenzy

More state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon.

After Microsoft’s initial report that the vulnerabilities were actively exploited by a Chinese APT group named Hafnium, Slovak internet security firm ESET shared info on at least three other Chinese-backed hacking groups abusing the ProxyLogon flaws in ongoing attacks.

Besides those three (APT27, Bronze Butler aka Tick, and Calypso), ESET also said that it also identified several “additional yet-unclassified clusters.”

In a Friday update to their announcement, Microsoft said that several other threat actors “beyond HAFNIUM” are also exploiting the four critical Exchange flaws.

Based on ESET’s (incomplete) telemetry, web shells have already been deployed on over 5,000 unique Exchange servers from over 115 countries.

Webshell detections by country (ESET)

Exchange servers attacked by multiple hacking groups

ESET has now published a new report saying that unpatched Exchange servers are currently hunted down by “at least 10 APT groups.”

On top of the previously mentioned APTs (APT27, Tick, and Calypso), ESET’s new list also includes Winnti Group (APT41), Tonto Team, Mikroceen, and a newly detected threat actor dubbed Websiic.

While analyzing telemetry data, the company has also spotted ShadowPad, “Opera” Cobalt Strike, IIS backdoor, and DLTMiner activity by unknown APT groups.

ESET also provided a short rundown of these threat groups and behavior clusters’ malicious activity:

  • Tick (Bronze Butler) – compromised the webserver of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.
  • LuckyMouse (APT27) – compromised the email server of a governmental entity in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero-day.
  • Calypso – compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero-day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia, and Europe.
  • Websiic – targeted seven email servers belonging to private companies (in the domains of IT, telecommunications, and engineering) in Asia and a governmental body in Eastern Europe.
  • Winnti Group – compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.
  • Tonto Team – compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.
  • ShadowPad activity – compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.
  • The “Opera” Cobalt Strike – targeted around 650 servers, mostly in the US, Germany, the UK, and other European countries just a few hours after the patches were released.
  • IIS backdoors – ESET observed IIS backdoors installed via web shells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy. 
  • Mikroceen – compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.
  • DLTMiner – ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities.  The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

“It is now clearly beyond prime time to patch all Exchange servers as soon as possible,” ESET concluded.

“Even those not directly exposed to the internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these vulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and then move laterally from it.”

Detailed info on the servers compromised by these hacking groups and the threat actors behind the not yet attributed malicious activity, including indicators of compromise, can be found in ESET’s report.

ProxyLogon attacks timeline (ESET)

Over 46,000 servers still exposed to attacks

After scanning 250,000 Exchange servers worldwide, the Dutch Institute for Vulnerability Disclosure (DIVD) reported Tuesday that it found 46,000 servers unpatched against the heavily exploited ProxyLogon vulnerabilities.

The critical vulnerabilities were patched by Microsoft on March 2nd, with additional security updates issued by the company this week for multiple unsupported Exchange versions.

Redmond has also updated the Microsoft Safety Scanner (MSERT) tool to help customers detect web shells deployed in the ongoing Exchange Server attacks.

You can find additional info on installing the security updates in this article published by the Microsoft Exchange Team.

Also Read: How To Comply With PDPA: A Checklist For Businesses

If you haven’t yet patched and detect signs of compromise, you have to remove the web shells deployed by the attackers, change all credentials, and investigate additional malicious activity on your servers.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us