Hackers breach SmarterTools network using flaw in its own software
Published: (February 9, 2026 at 02:08 PM EST)
2 min read
Source: Bleeping Computer
Source: Bleeping Computer
Breach Overview
- Date of intrusion: January 29 (via a single SmarterMail virtual machine (VM) set up by an employee).
- Scope: 12 Windows servers on the office network and a secondary data‑center used for laboratory tests, quality control, and hosting were compromised.
- Lateral movement: Attackers moved laterally through Active Directory using Windows‑centric tooling and persistence methods.
- Unaffected assets: Linux servers, which make up the majority of the infrastructure, remained untouched.
“Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” – Derek Curtis, Chief Commercial Officer, SmarterTools
Vulnerability Exploited
- CVE‑2026‑23760 – An authentication‑bypass flaw in SmarterMail (pre‑Build 9518) that allows resetting administrator passwords and obtaining full privileges.
- Details: BleepingComputer article on the flaw
Threat Actor
- Group: Warlock ransomware gang (linked to the Chinese nation‑state actor Storm‑2603).
- Attribution sources:
- Cisco Talos – abuse of the open‑source DFIR tool Velociraptor.
- Halcyon (Oct 2025) – connection to Storm‑2603.
- ReliaQuest – report confirming Storm‑2603 involvement with moderate‑to‑high confidence.
- Report: ReliaQuest blog
Tools & Techniques
- Tools used: Velociraptor, SimpleHelp, vulnerable versions of WinRAR.
- Persistence: Startup items and scheduled tasks.
- Additional probes: CVE‑2026‑24423 (SmarterMail RCE flaw flagged by CISA).
Response and Mitigation
- Detection: SentinelOne security products stopped the final encryption payload.
- Containment: Impacted systems were isolated.
- Recovery: Data restored from fresh backups.
Recommendations
-
Patch promptly: Upgrade SmarterMail to Build 9511 or later.
- Upgrade guide: SmarterTools release notes
-
Maintain asset inventory: Ensure all VMs and servers receive regular updates.
-
Monitor for abnormal AD activity: Look for lateral‑movement patterns and unauthorized tool usage.
-
Implement robust backup strategy: Keep offline, immutable backups to enable rapid restoration.