Hackers Are Targeting Microsoft Exchange Servers With Ransomware

Laptop with email exchange
Share this article with your friends!

It didn’t take long, now Hackers Are Targeting Microsoft Exchange Servers With Ransomware. Intelligence agencies and cybersecurity researchers had been warning that unpatched Exchange Servers could open the pathway for ransomware infections in the wake of swift escalation of the attacks since last week.

Now it appears that threat actors have caught up.

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

According to the latest reports, cybercriminals are leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called “DearCry.”

“Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A,” Microsoft researcher Phillip Misner tweeted. “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”

In a joint advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the agencies warned that “adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack.”

Successful weaponization of the flaws allows an attacker to access victims’ Exchange Servers, enabling them to gain persistent system access and control of an enterprise network. With the new ransomware threat, unpatched Servers are not only at risk of potential data theft but also get potentially encrypted, preventing access to an organization’s mailboxes.

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

Meanwhile, as nation-state hackers and cybercriminals pile on to take advantage of the ProxyLogon flaws, a proof-of-concept (PoC) code shared on Microsoft-owned GitHub by a security researcher has been taken down by the company, citing that the exploit is under active attack.

In a statement to Vice, the company said, “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

The move has also sparked a debate of its own, with researchers arguing that Microsoft is “silencing security researchers” by removing PoCs shared on GitHub.

“This is huge, removing a security researchers code from GitHub against their own product and which has already been patched,” TrustedSec’s Dave Kennedy said. “It was a PoC, not a working exploit — none of the PoCs have had the RCE. Even if it did, that’s not their call on when the appropriate time to release is. It’s an issue in their own product, and they are silencing security researchers on that.”

This was also echoed by Google Project Zero researcher Tavis Normandy.

“If the policy from the start was no PoC/metasploit/etc — that would suck, but it’s their service,” Normandy said in a tweet. “Instead they said OK, and now that it’s become the standard for security pros to share code, they have elected themselves the arbiters of what is ‘responsible.’ How convenient.”

If anything, the avalanche of attacks should serve as a warning to patch all versions of the Exchange Server as soon as possible, while also take steps to identify signs of indicators of compromise associated with the hacks, given that the attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities.

Small History of Google Project Zero

After finding a number of flaws in software used by many end-users while researching other problems, such as the critical “Heartbleed” vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google’s security blog. When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented.

While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google’s counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden. The team was formerly headed by Chris Evans, previously head of Google’s Chrome security team, who subsequently joined Tesla Motors. Other notable members include security researchers Ben Hawkes, Ian Beer and Tavis Ormandy. Hawkes eventually became the team’s manager.

The team’s focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have a sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail.

Join over 1.000 visitors who are receiving our newsletter and get free eBooks, breaking news, learn how secure your data, your company accounts, database, clients passwords, get the best security advice and more.
We hate spam. Your email address will not be sold or shared with anyone else.

Share this article with your friends!