Hackers Exchange Servers Ransomware

Overview

Hackers are exploiting vulnerable Exchange servers to drop ransomware attacks, Microsoft says.

Microsoft has warned that hackers exploit recently discovered vulnerabilities in Exchange email servers to drop the ransomware. The move puts tens of thousands of email servers at risk (a Phishing Fraud) of destructive attacks.

In a tweet late Thursday, a tech giant said it detected a new kind of file-encrypting malware called DoejoCrypt or DearCry, which uses the same four vulnerabilities that Microsoft linked to the new China-backed hacking group Hafnium.

When chained together, the vulnerabilities allow the hacker to control a vulnerable system completely.

Microsoft said

Hafnium is the “primary” group exploiting flaws, likely for espionage and intelligence gathering. But other security firms say they have seen other hacking groups use the same weaknesses. ESET noted at least the ten groups are actively compromising the Exchange servers.

Michael Gillespie

The new ransomware comes less than a day after security researchers published a proof-of-concept exploit code for the vulnerabilities to the Microsoft-owned GitHub. If the The violates the company’s regulations it gets deleted quickly..

Marcus Hutchins

The security researcher at Kryptos Logic said in the tweet that the code worked, albeit with some fixes.

Threat intelligence

The company RiskIQ reports detecting over 82,000 vulnerable servers as of Thursday, but the number is declining. Furthermore, the company noted that hundreds of servers owned by banks and healthcare companies remain affected, along with over 150 servers within the U.S. federal government.

The company pointed out that this shows a rapid drop compared to the almost 400,000 vulnerable servers that were present when Microsoft first disclosed the vulnerabilities on March 2nd.

Microsoft released security patches last week, but these patches do not prevent hackers from breaching servers. The FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a significant risk to businesses across the United States.

John Hultquist, vice president of the analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more than ransomware groups trying to cash in.

What Are The Vulnerabilities And Why Are They Important?

Their ProxyLogon is a severe vulnerability that affects on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft is also updating Exchange Server in 2010 for “defense-in-depth purposes.”

• CVE-2021-26855: CVSS 9.1: The Server Request Forgery (SSRF) vulnerability results in unauthenticated attackers sending crafted HTTP requests. Servers need to be capable of accepting untrusted connections over port 443 for the bugs to activate.
• CVE-2021-26857: CVSS 7.8: the insecure deserialization vulnerability in an Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM.
• CVE-2021-26858: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.
• CVE-2021-27065: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.

If used in the attack chain, these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.

In summary, Microsoft says that the attackers secure access to the Exchange Server either through these bugs or stolen credentials, and they can then create a web shell to hijack the system and execute commands remotely.

“These vulnerabilities are part of the attack chain,” Microsoft says. “The initial attack requires an untrusted Exchange server port 443 connection.

You can protect your system by restricting untrusted connections through the setup of a VPN, which will segregate an Exchange server from external access.

Using this mitigation will only protect against the initial portion of the attack;

If an attacker already has access or can convince administrators to run the malicious file, they can trigger other pieces of the chain.

Who Is Responsible For Known Ransomware Attacks?

Microsoft attributes the tracing of the original attacks using the zero-day flaws to Hafnium.

The company describes Hafnium as a “highly skilled and sophisticated actor,” identifying them as the state-sponsored advanced persistent threat (APT) group from China.

While the Hafnium originates in China, the group uses the web of virtual private servers (VPS) in the U.S. to try and conceal its proper location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers.

Is It Just The Hafnium?

When zero-day vulnerabilities are revealed and software vendors issue emergency security fixes. The consequences can be substantial, especially when popular software is affected.

Issues often arise due to the awareness of new patches and slow adoption. It also arises due to the reasons why I.T. staff might be unable to implement a fix. This could result from being unaware that an organization utilizes software, third-party libraries, or components at risk. It may also be due to compatibility problems.

Mandiant says further attacks against U.S. targets include local government bodies, universities, engineering companies, and retailers.

The cyber forensics firm believes that attackers could utilize the vulnerabilities for deploying ransomware and stealing data.

Cybersecurity expert Brian Krebs has been informed by sources that hackers have targeted at least 30,000 organizations in the U.S. According to Palo Alto Networks, there were a minimum of 125,000 unpatched servers worldwide as of March 9th.

On March 5, Microsoft said to the company, “continued increased use of these vulnerabilities in the targets of the attacks unpatched systems by multiple malicious actors beyond the Hafnium.”

And On March 11, Check Point Research said that the attack attempts leveraging the vulnerabilities doubled every few hours.

On March 15, CPR said that the attack attempts increased ten times based on the data collected between March 11 and March 15.

The US, Germany, and the U.K. are now the most targeted countries. The Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.

Conclusion

As we dissect recent high-profile cases and explore the anatomy of these attacks, a grim reality emerges: the line between data protection and hostage negotiation has blurred as businesses struggle to deal with the growing threats. Companies like BigScal become crucial allies in the battle against such sneaky invasions.

In addition, BigScal’s approach extends beyond traditional security paradigms. They enable businesses to foresee and minimize dangers before they materialize by encouraging a culture of vigilance and continual development.

Combining cutting-edge technology with proactive strategies can stem the rising tide of cyber threats and ensure that exchange servers remain a conduit of communication and innovation rather than a gateway for criminal extortion. Hence, the road ahead is challenging, but with the right allies, we can navigate it towards a safer and more secure digital future.

FAQ