HomeWinBuzzer NewsMicrosoft Exchange Server Targeted by Lemon Duck Botnet Group

Microsoft Exchange Server Targeted by Lemon Duck Botnet Group

A threat group using the Lemon Duck botnet is now targeting Microsoft Exchange Server vulnerabilities against unpatched systems.


Exchange Vulnerabilities has been used as part of a new attack from the threat group behind the Lemon Duck botnet. According to security researchers from Cisco Talos, the are also mimicking legitimate domains with decoys.

This shows Microsoft Server Exchange exploits are still happening. Earlier this year, zero-day vulnerabilities in the service caused havoc for tens of thousands of organizations.

Microsoft Exchange Server was successfully atttacked through an exploit first used by the HAFNIUM group. More threat groups have since targeted the exploit. Microsoft has sent out patches for all versions of the service, including those out of support.

Microsoft says updating Exchange Server is the best way to avoid the exploit. Furthermore, the company has launched a tool to help customers know if they have been breached. In April, Microsoft released a new update of security patches for Exchange Server.

However, the latest research from Cisco Talos suggest exploits are still happening. It is thought 60,000 organizations have been compromised by the breach. Furthermore, businesses that have still not installed patches remain vulnerable to attack. It is those organizations threat groups are targeting.

Lemon Duck

Back in March, Microsoft named the Lemon Duck botnet attack group as one of 10 advanced persistent threat (APT) groups targeting vulnerabilities in Exchange Server. Cisco Talos describes how the Lemon Duck botnet is being used against Microsoft Exchange Server.

Specifically, hackers behind the Lemon Duck botnet are using new tools that can enhance their attacks. By using automated tools, attackers can scan and find servers and then exploit them by loading Cobalt Strike DNS and web shells:

“The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” the researchers say.

“New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet.”

Tip of the day:

File History is a Windows 10 back up feature that saves each version of files in the Documents, Pictures, Videos, Desktop, and Offline OneDrive folders. Though its name implies a primary focus on version control, you can actually use it as a fully-fledged backup tool for your important documents.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News