The Microsoft Exchange attacks are taking new twists day by day. In just days, the threat escalated from limited state-sponsored attacks to numerous targeted attacks by multiple hacking groups. The severity of the attacks also escalated from web shells to ransomware. “We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft said.
Microsoft’s security researcher Phillip Misner stated that ransomware operators are now exploiting recently disclosed ProxyLogon vulnerabilities in their attacks. It was found that the threat actors installed new ransomware dubbed “DearCry” after compromising Microsoft Exchange servers.
What Misner says…
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel
— Phillip Misner (@phillip_misner) March 12, 2021
Once compromised, the DearCry ransomware creates a Windows service “msupdate” that encrypts the sensitive information. Thousands of Exchange servers are suspected to be vulnerable to DearCry ransomware. Besides, it is believed that hundreds of servers have already been compromised.
Hafnium is Still Active!
Earlier, Microsoft Threat Intelligence Center (MSTIC) identified a state-sponsored threat actor group targeting unpatched vulnerabilities in Microsoft systems. Dubbed as Hafnium, the hacking group is suspected to be operating from China, with leased virtual private servers (VPS) in the U.S. Earlier, the group targeted several entities in the U.S. to exfiltrate sensitive data from multiple industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Microsoft released fixes to address four Zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) in its Microsoft Exchange servers. The technology giant urged organizations and users to apply the available security patches or temporarily disable external access to Microsoft Exchange as early as possible.
“Our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs,” Microsoft added.