Hackers Exchange Servers Ransomware
Hackers are exploiting vulnerable Exchange servers to the drop ransomware attack, Microsoft says.
Hackers are exploiting recently discovered vulnerabilities in Exchange email servers to drop the ransomware, Microsoft has warned. The move puts tens of thousands of email servers at the risk of destructive attacks.
In a tweet late Thursday, a tech giant said it had detected a new kind of file-encrypting malware called DoejoCrypt or DearCry. Which uses the same four vulnerabilities that Microsoft linked to the new China-backed hacking group called Hafnium.
When chained together, the vulnerabilities allow the hacker to take full control of a vulnerable system.
Microsoft said Hafnium is the “primary” group exploiting flaws, likely for espionage and intelligence gathering. But other security firms say they have seen other hacking groups exploit the same flaws. ESET said at least the 10 groups are actively compromising the Exchange servers.
Michael Gillespie, the ransomware expert who develops ransomware decryption tools, said many vulnerable Exchange servers in the U.S., Canada, and Australia had been infected with the DearCry.
The new ransomware comes less than a day after security researchers published a proof-of-concept exploit code for the vulnerabilities to the Microsoft-owned GitHub. The code was quickly deleted once it was discovered to be in violation of the company’s regulations.
Marcus Hutchins, the security researcher at Kryptos Logic, said in the tweet that the code worked, albeit with some fixes.
Threat intelligence the company RiskIQ says, it has detected over 82,000 vulnerable servers as of Thursday, but the number is declining. The company said hundreds of servers belonging to the banks and healthcare companies are still affected, as well as more than 150 servers in the U.S. federal government.
That’s a rapid drop compared to the close to 400,000 vulnerable servers when Microsoft first disclosed the vulnerabilities on March 2, the company said.
Microsoft published security that was fixed last week, but the patches do not expel the hackers from already breached servers. Both the FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a major risk to businesses across the United States.
John Hultquist, vice president of the analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more than ransomware groups trying to cash in.
More Information to be continue
“Though many of organizations still unpatched had been exploited by the cyber and espionage actors, criminal ransomware operations may pose the greater risk as they disrupt the organizations and even extort victims by releasing stolen emails,” said Hultquist.
Early Stage is the premier ‘how-to’ event for startup entrepreneurs and investors.
You will first-hand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We will cover every aspect of company-building:
Fundraising, recruiting, sales, product-market fit, PR, marketing, and brand building. Each session also has audience participation built-in; there’s ample time to include audience questions and discussion.
Microsoft told security expert Brian Krebs that a company was made aware of four zero-day bugs in “early” January.
A DEVORE researcher, credited with finding two security issues, appears to have reported them on January 5. Going under the handle “Orange Tsai,” the researcher tweeted:
“Just report the pre-auth RCE chain vendor. This might be the most serious RCE I have ever reported.”
According to Volexity, attacks using four zero days may have started as early as January 6, 2021.
Dubex reported suspicious activity on the Microsoft and Exchange servers in the same month.
On March 2, Microsoft released patches to tackle four critical vulnerabilities in the Microsoft Exchange Server software. At the time, the company said that bugs were being actively exploited in “limited, targeted attacks.”
Microsoft Exchange Server is the email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide.
While fixes have been issued, the scope of the potential Exchange Server compromise depends on the speed and uptake of the patches, and over a month on, the security issue continues to persist.
Microsoft is also reportedly investigating potential links between PoC attack code issued privately to the cybersecurity partners and vendors prior to the patch release and exploit tools spotted in the wild, as well as the prospect of an accidental or deliberate leak that prompted a spike in their attacks.
What are the vulnerabilities and why are they important?
The critical vulnerabilities, known together as their ProxyLogon, impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected.
Microsoft is also updating Exchange Server in 2010 for “defense-in-depth purposes.”
- CVE-2021-26855: CVSS 9.1: the Server Side Request Forgery (SSRF) vulnerability leading to the crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for bugs to be triggered.
- CVE-2021-26857: CVSS 7.8: the insecure deserialization vulnerability in an Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM.
- CVE-2021-26858: CVSS 7.8: the post-authentication arbitrary file writes vulnerability to write to the paths.
- CVE-2021-27065: CVSS 7.8: the post-authentication arbitrary file writes vulnerability to write to the paths.
If used in the attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.
In summary, Microsoft says that the attackers secure access to the Exchange Server either through these bugs or stolen credentials and they can then create a web shell to hijack the system and execute commands remotely.
“These vulnerabilities are part of the attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to an Exchange server port 443.
This can be protected against by restricting untrusted connections, by setting up the VPN to separate an Exchange server from external access.
Using this mitigation will only protect against the initial portion of attack; other portions of the chain can be triggered if an attacker already has access or can convince administrators to run the malicious file.”
Who is responsible for known attacks?
Microsoft says that original attacks using the zero-day flaws have been traced back to the Hafnium.
Hafnium is the state-sponsored advanced persistent threat (APT) group from China that is described by the company as a “highly skilled and sophisticated actor.”
While the Hafnium originates in China, the group uses the web of virtual private servers (VPS) located in the US to try and conceal its true location. An Entity previously targeted by the group includes think tanks, non-profits, defense contractors, and researchers.
Is it just the hafnium?
When zero-day vulnerabilities come to the light and emergency security fixes are issued, if popular software is involved, ramifications can be massive.
Problems can often be traced back to the awareness of new patches, slow uptake, or reasons why IT staff cannot apply a fix whether this is because they are unaware that an organization is using software, third-party libraries, or components at risk, or potentially due to the compatibility problems.
Mandiant says further attacks against US targets include local government bodies, universities, engineering companies, and retailers.
The cyber forensics firm believes the vulnerabilities could be used for the purposes of ransomware deployment and data theft.
Sources have told cybersecurity expert Brian Krebs that at least 30,000 organizations in the US have been hacked. Palo Alto Networks suggests there were at least 125,000 unpatched servers worldwide, on March 9.
On March 5, Microsoft said to the company “continued increased use of these vulnerabilities in the targets of the attacks unpatched systems by multiple malicious actors beyond the Hafnium.”
And On March 11, Check Point Research said that the attack attempts leveraging the vulnerabilities were doubling every few hours.
On March 15, CPR said that the attack attempts increased 10 times based on the data collected between March 11 and March 15.
The US, Germany, and the UK are now the most targeted countries. The Government and military targets accounted for 23% of all exploit attempts, followed by manufacturing, financial services, and software vendors.
Leave a Reply
Want to join the discussion?Feel free to contribute!