Evidence shows that the four Microsoft Exchange Server vulnerabilities, initially brought to the world’s attention by Hafnium, are being exploited by multiple cyber criminal groups. Reports state that as many as ten advanced persistent threat actors (APTs) are trying to exploit the Exchange vulnerabilities.

The mystery: How were separate cyber crime groups able to access working exploits prior to when the flaws became publicly known?

It’s a rare day when a zero-day vulnerability is exploited by two different groups simultaneously. To see a zero-day vulnerability exploited by six to ten APTs at the same time is “highly unusual, if not unprecedented“.

At present, researchers do not have a clear explanation for the mass exploitation of the Exchange vulnerabilities by such an array of different threat actors.

Here are a handful of speculative hypotheses:

1. A single exploit vendor sold the zero-days to multiple buyers.

2. The Exchange vulnerabilities are posted on a dark web forum.

3. A nefarious enterprise that organizes and orchestrates smaller hacking groups directly handed the vulnerabilities to multiple hacker rings.

Around the world, the number of victims in this situation are slowly increasing. From major banking institutions to ice cream shops, are cleaning up compromised systems.

Should organizations adopcloud-based email?

Experts report that this attack could have been 10x worse if more organizations still depended on on-premise email management. Because so many organizations now use cloud-based email services, the fallout from the attack will not be as extreme as it would have been five years ago.

In this day in age “…it’s more the exception than the rule when somebody’s all on-prem”, says expert Ryan Noon.

“Cloud technologies like Microsoft 365, Azure, and the additional premium layers of services available as part of these solutions, improve a defender’s ability to protect their own environment,” says Microsoft’s Corporate Vice President of Security, Compliance and Identity, Vasu Jakkal.

For more about the attacks on Microsoft Exchange Servers, see our past coverage or visit Ars Technica.