Exchange Server exploitation spreads. US CYBERCOM says SolarWinds exploitation thwarted. FIN8 is back. TA800’s new access tool.

Microsoft Exchange Server vulnerabilities have been exploited against Norway’s parliament. BleepingComputer reports that the Storting yesterday disclosed that it had lost some data, but that investigation was incomplete, and the full extent of the damage was still unknown. The Storting thinks this attack is unconnected to the incursion by Fancy Bear, Russia’s GRU, that was discovered in December.

Many threat actors, both intelligence services and criminal gangs, have rushed to exploit these Exchange Server vulnerabilities. The FBI and CISA yesterday issued a joint advisory on the Microsoft Exchange Server compromise. It includes a summary of the methods the threat actors are using against their targets as well as a set of actions victims can take to mitigate the damage. The advisory remains coy about attribution (“nation-state actors and cyber criminals are likely among those exploiting these vulnerabilities”).

Reuters’ Chris Bing tweets that CISA expects to release, “soon,” more evidence attributing the SolarWinds compromise to Russia. In the meantime US Cyber Command has offered some reassurance about the dot mil domain. The Record reports that Cyber Command’s Executive Director told the Intelligence and National Security Alliance that “To date, there’s no evidence of a compromise in DoD networks because of the SolarWinds attack. That doesn’t mean we weren’t exposed… The layers of defense we had in place prevented the adversary from advancing from the toehold they had.”

Bitdefender warns that the FIN8 criminal group has resumed operation. 

Proofpoint reports that the TA800 gang is using a new initial access tool, Nimzaloader.