ESET said in a series of tweets that CVE-2021-26855 was being actively exploited in the wild by several groups.
"Among them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters," it added.
The security firm said most targets of the attacks were located in the US, "but we’ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities".
Most targets are located in the US but we’ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 pic.twitter.com/kwxjYPeMlm— ESET research (@ESETresearch) March 2, 2021
The US directive, from the Department of Homeland Security, said partners of the Cybersecurity and Infrastructure Security Agency had observed active exploitation of the four vulnerabilities.
"Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network," the directive said.
The DHS said if no hint of compromise was found, then the patches issued by Microsoft should be immediately applied.
Btw I haven’t seen any exploit code in public (at all) so you’re probably safe from ransomware, coin miners and bug bounty for now — we’re in the realms of APTs spraying the internet for fun/access. pic.twitter.com/kFcuHmBZHA— Kevin Beaumont (@GossiTheDog) March 3, 2021
Those who did find breaches were told to image system memory for later analysis.