Cyber attackers target unpatched and still vulnerable Exchange servers, including spreading a new strain of ransomware called DearCry.
Microsoft alerts: Unpatched Exchange servers still exposed to the four recently announced vulnerabilities are being targeted by attackers using a strain of ransomware known as DearCry.
The tech giant is once again urging its customers to apply the emergency fixes rolled out last week to fix critical security flaws affecting Exchange mail servers. Already on March 2, Microsoft was warning its customers of the importance of installing the patches as soon as possible, as other attackers and APT groups could exploit these flaws in the weeks and months to come.
Microsoft first revealed that the cyber-attacks related to these vulnerabilities were carried out by a Chinese group named Hafnium. However, security vendor ESET reported last week that at least 10 APT groups are currently attempting to exploit unpatched security vulnerabilities.
Ransomware named DearCryAnd now cybercriminals are looking to feed on these security holes. According to Microsoft, cyber attackers spreading a strain of ransomware named DearCry attempt to install the malware after compromising Exchange servers.
“We have detected and blocked a new family of ransomware used after an initial compromise of unpatched on-premises Exchange servers. Microsoft protects against this threat known as Ransom: Win32 / DoejoCrypt.A, and also as DearCry,” Microsoft warns in a tweet. Ransom: Win32 / DoejoCrypt.A are the name under which Microsoft Antivirus Defender will detect the new threat.
Microsoft Defender Antivirus users who have enabled Automatic Updates do not need to take any additional action after applying the fixes to the Exchange server.
The CISA invitedThe set of security vulnerabilities on Exchange appear to be a priority for Microsoft, which last week rolled out additional security updates to address vulnerabilities in unsupported versions of Exchange.
The Cybersecurity and Infrastructure Security Agency or CISA, an American federal agency under the supervision of the United States Department of Homeland Security, ordered federal agencies earlier this month to patch the security vulnerabilities of exchange or cut off vulnerable internet servers.
CISA be added "Aware that cyber attackers use open source tools to search for vulnerable servers and Microsoft Exchange advises organizations to seek compromise signs from the 1st September 2020".
Web shells checkingThe bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online.
Attackers used these vulnerabilities to compromise Exchange servers and deploy web shells, in order to steal data and maintain access to servers after the initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system.
Microsoft has posted a script on GitHub, which administrators can use to check for the presence of web shells on Exchange servers.
This script could be useful in chasing attackers from an already compromised system. Microsoft security researcher Kevin Beaumont recommends that organizations run the script after patching, to ensure web shells have been removed.
Exploitation widespreadThe CISA adds that it is "aware of the widespread domestic and international exploitation of these vulnerabilities" and urges administrators of Exchange servers to run Microsoft's Test-ProxyLogon.ps1 script.
Independent security researchers behind the MalwareHunterTeam account on Twitter have seen attacks against companies in Canada, Denmark, the United States, Australia, and Austria. The first casualties were seen on March 9, just seven days after Microsoft's warning and the release of the fixes.
CISA strongly recommends that organizations run the Test-ProxyLogon.ps1 script as soon as possible to determine if their systems are compromised.