SmarterTools confirmed last week that the Warlock ransomware gang breached its network after compromising an email system, but it did not impact business applications or account data.
The company's Chief Commercial Officer, Derek Curtis, says that the intrusion occurred on January 29, via a single SmarterMail virtual machine (VM) set up by an employee.
"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained.
“Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.”
Although SmarterTools assures that customer data wasn’t directly impacted by this breach, 12 Windows servers on the company’s office network, as well as a secondary data center used for laboratory tests, quality control, and hosting, were confirmed to have been compromised.
The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. Linux servers, which constitute the majority of the company’s infrastructure, were not compromised by this attack.
The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges.
SmarterTools reports that the attacks were conducted by the Warlock ransomware group, which has also impacted customer machines using a similar activity.
The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines.
However, in this case, Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups.
... continue reading