Hackers Exchange Servers Ransomware
Quick Summary: The blog sheds light on hackers exploiting ransomware attacks to target exchange servers. Infiltrating the servers, they coerce a ransom to regain access. The blog profoundly examines the attack’s implications and potential to reshape cybersecurity practices. This incident underscores the pressing need for robust protective measures against evolving hacking techniques. It propels organizations to bolster their security strategies and stay ahead in the ongoing battle against cyber threats.
Introduction
A worrying trend has evolved in the constantly changing cybersecurity landscape: hackers using exchange servers to launch ransomware attacks. Simple data breaches give way to outright
hacking of crucial systems, which causes chaos and financial instability. This blog explores the risks of ransomware using exchange servers as a delivery system.
Understanding the inner workings of these attacks is essential to bolster our defense strategies. You can get help from Security Testing Services.
In the following pages, we unravel the methods, motives, and potential countermeasures against this emerging breed of cyber threat.
Let’s Discuss some severe issues: Hackers Exchange Servers Ransomware Attack!
Overview
Hackers are exploiting vulnerable Exchange servers to drop ransomware attacks, Microsoft says.
Microsoft has warned that hackers exploit recently discovered vulnerabilities in Exchange email servers to drop the ransomware. The move puts tens of thousands of email servers at risk (a Phishing Fraud) of destructive attacks.
In a tweet late Thursday, a tech giant said it detected a new kind of file-encrypting malware called DoejoCrypt or DearCry, which uses the same four vulnerabilities that Microsoft linked to the new China-backed hacking group Hafnium.
When chained together, the vulnerabilities allow the hacker to control a vulnerable system completely.
Microsoft said
Hafnium is the “primary” group exploiting flaws, likely for espionage and intelligence gathering. But other security firms say they have seen other hacking groups use the same weaknesses. ESET noted at least the ten groups are actively compromising the Exchange servers.
Michael Gillespie
The new ransomware comes less than a day after security researchers published a proof-of-concept exploit code for the vulnerabilities to the Microsoft-owned GitHub. If the The violates the company’s regulations it gets deleted quickly..
Marcus Hutchins
The security researcher at Kryptos Logic said in the tweet that the code worked, albeit with some fixes.
Threat intelligence
The company RiskIQ reports detecting over 82,000 vulnerable servers as of Thursday, but the number is declining. Furthermore, the company noted that hundreds of servers owned by banks and healthcare companies remain affected, along with over 150 servers within the U.S. federal government.
The company pointed out that this shows a rapid drop compared to the almost 400,000 vulnerable servers that were present when Microsoft first disclosed the vulnerabilities on March 2nd.
Microsoft released security patches last week, but these patches do not prevent hackers from breaching servers. The FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a significant risk to businesses across the United States.
John Hultquist, vice president of the analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more than ransomware groups trying to cash in.
What Are The Vulnerabilities And Why Are They Important?
Their ProxyLogon is a severe vulnerability that affects on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft is also updating Exchange Server in 2010 for “defense-in-depth purposes.”
- CVE-2021-26855: CVSS 9.1: The Server Request Forgery (SSRF) vulnerability results in unauthenticated attackers sending crafted HTTP requests. Servers need to be capable of accepting untrusted connections over port 443 for the bugs to activate.
- CVE-2021-26857: CVSS 7.8: the insecure deserialization vulnerability in an Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM.
- CVE-2021-26858: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.
- CVE-2021-27065: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.
If used in the attack chain, these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that the attackers secure access to the Exchange Server either through these bugs or stolen credentials, and they can then create a web shell to hijack the system and execute commands remotely.
“These vulnerabilities are part of the attack chain,” Microsoft says. “The initial attack requires an untrusted Exchange server port 443 connection.
You can protect your system by restricting untrusted connections through the setup of a VPN, which will segregate an Exchange server from external access.
Using this mitigation will only protect against the initial portion of the attack;
If an attacker already has access or can convince administrators to run the malicious file, they can trigger other pieces of the chain.
Who Is Responsible For Known Ransomware Attacks?
Microsoft attributes the tracing of the original attacks using the zero-day flaws to Hafnium.
The company describes Hafnium as a “highly skilled and sophisticated actor,” identifying them as the state-sponsored advanced persistent threat (APT) group from China.
While the Hafnium originates in China, the group uses the web of virtual private servers (VPS) in the U.S. to try and conceal its proper location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers.
Is It Just The Hafnium?
When zero-day vulnerabilities are revealed and software vendors issue emergency security fixes. The consequences can be substantial, especially when popular software is affected.
Issues often arise due to the awareness of new patches and slow adoption. It also arises due to the reasons why I.T. staff might be unable to implement a fix. This could result from being unaware that an organization utilizes software, third-party libraries, or components at risk. It may also be due to compatibility problems.
Mandiant says further attacks against U.S. targets include local government bodies, universities, engineering companies, and retailers.
The cyber forensics firm believes that attackers could utilize the vulnerabilities for deploying ransomware and stealing data.
Cybersecurity expert Brian Krebs has been informed by sources that hackers have targeted at least 30,000 organizations in the U.S. According to Palo Alto Networks, there were a minimum of 125,000 unpatched servers worldwide as of March 9th.
On March 5, Microsoft said to the company, “continued increased use of these vulnerabilities in the targets of the attacks unpatched systems by multiple malicious actors beyond the Hafnium.”
And On March 11, Check Point Research said that the attack attempts leveraging the vulnerabilities doubled every few hours.
On March 15, CPR said that the attack attempts increased ten times based on the data collected between March 11 and March 15.
The US, Germany, and the U.K. are now the most targeted countries. The Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.
Conclusion
As we dissect recent high-profile cases and explore the anatomy of these attacks, a grim reality emerges: the line between data protection and hostage negotiation has blurred as businesses struggle to deal with the growing threats. Companies like BigScal become crucial allies in the battle against such sneaky invasions.
In addition, BigScal’s approach extends beyond traditional security paradigms. They enable businesses to foresee and minimize dangers before they materialize by encouraging a culture of vigilance and continual development.
Combining cutting-edge technology with proactive strategies can stem the rising tide of cyber threats and ensure that exchange servers remain a conduit of communication and innovation rather than a gateway for criminal extortion. Hence, the road ahead is challenging, but with the right allies, we can navigate it towards a safer and more secure digital future.
FAQ
Do hackers use ransomware?
Yes, hackers often use ransomware as a malicious tool. Ransomware encrypts victims’ data and demands payment to provide the decryption key. It’s a profitable strategy for cybercriminals to extort money from individuals, businesses, and organizations. The victims seek to recover from the incident thus they are willing to pay to have access to their data. The best ways of combating such an attack include practicing good security measures as well as keeping data back up to minimize the chances of any attack getting through.
What was the Microsoft Exchange hack?
The Microsoft Exchange hack that emerged in January this year targeted weaknesses in Microsoft Exchange Server software. The cyberattack provided hackers with the ability to penetrate email accounts, in order to obtain specific information, as well as to enter malicious programs into the system. The motive is quite clear, as thousands of organizations all over the world were affected by the attack. However, Microsoft released patches to contain the flaws, and the situation pointed but a need to provide regular software updates and remain cautious of potential cyber-attacks.
Which vulnerability affects Exchange servers?
There was a comparatively known weakness called ProxyLogon and also it was an array of four zero-day CVEs namely, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, that targeted Microsoft Exchange Server software. Such misconfigurations let the intruders gain access to the target systems, steal data, and place web shells.
What happens if you don’t pay ransomware?
The truth is that if you do not pay ransom for the locked data, they stop providing with decryption key and the data will remain locked in perpetuity. The hackers might also decide to wipe away your precious data if you don’t pay as agreed within a specific period. When the ransom is paid, the data is not necessarily restored and recovery becomes a risky process to undertake. One must establish and analyze options and go with ever-preferable encryptions, firewalls, backups and so on.
Does wiping a computer remove ransomware?
Deleting a computer is the other way with which ransomware can be eliminated since wiping the computers mean formatting the hard drive and reinstalling the operating system while eliminating all data from the computer.