Threat actors are exploiting the Microsoft Exchange Server vulnerabilities by installing a new ransomware strain on unprotected servers.
Microsoft threat researcher Phillip Misner confirmed news reports late Thursday on Twitter. The new family of human-operated ransomware is detected as Ransom:Win32/DoejoCrypt.A, and given the nickname DearCry because it adds that to the start of encrypted files. It adds the extension .CRYPT to those files.
Michael Gillespie of the ID Ransomware website, which helps identify ransomware strains, also said in a tweet that the site has suddenly seen several submissions with IP addresses from Exchange servers in Canada, the U.S. and Australia. Gillespie told Bleeping Computer that the submissions started March 9.
Initial reports didn’t say which threat group is using this new weapon.
“The fact that cybercriminals potentially now have easy access to a very large number of Exchange servers is obviously concerning, especially for smaller businesses which may not have the ability to establish whether they’ve been compromised, let alone carry out remediation,” said Brett Callow, British Columbia-based threat researcher for Emisoft. “We really need governments to step up quickly and provide companies with the resources they need to secure their environments. ”
Some cyber gangs gather terabytes of open-source intelligence about internet software. Once a zero-day vulnerability appears, they sell compiled lists of IP addresses or URLs known to run the vulnerable software to other gangs, according to Ilya Kolochenko, founder and chief architect of ImmuniWeb SA. “This bolsters both the speed and efficiency of the exploitation. Combined with ransomware, such hacking campaigns bring huge and easy profits to perpetrators.
“However, today, I don’t see any special risks in the continuous exploitation of Microsoft Exchange flaws. First, some of the zero-days require special exploitation conditions, such as a user account or an accessible web interface for the SSRF RCE (server-side request forgery remote code execution),” Kolochenko explained. “Thus, breached organizations likely failed to implement some security hardening or IDR processes. Moreover, organizations who are still unpatched are likely grossly negligent and probably have been already compromised before by a myriad of other vulnerabilities and attack vectors.”
Exploitation attempts have doubled
Check Point Software reports that threat actors are wasting no time finding ways to leverage the vulnerabilities. On Thursday, it said in the previous 24 hours the number of exploitation attempts on organizations it tracks doubled every two to three hours.
The vulnerabilities, dubbed by some researchers as ProcyLogon, allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to take over the mail server itself completely.
Two incident response firms have told IT World Canada of at least five Canadian firms whose on-premise Exchange servers had been compromised. This was before Microsoft announced the discovery of the vulnerabilities on March 2.
News that ransomware is now being leveraged against vulnerable Exchange Servers makes it more imperative that Exchange administrators install the security patches to block access to the vulnerabilities and look for indicators of compromise such as webshells and backdoors intruders may have left.
Earlier this week ESET said at least 10 threat groups are trying to exploit the vulnerabilities first publicly revealed by Microsoft on March 2. However, ESET and other researchers say there’s evidence that groups were using the holes to get into on-prem Exchange environments before that date.
Admins are making good progress in patching, but thousands of Exchange servers remain vulnerable. Palo Alto Networks said late Thursday that its Expanse detection platform counted 2,700 vulnerable servers on the internet, down from 4,500 on Tuesday. In the U.S., the number of unpatched internet-connected Exchange servers was 20,000, down from 30,000 on Tuesday. There are still an estimated 80,000 unpatched servers remaining.
In a statement, Matt Kraning, chief technology officer of Cortex at Palo Alto Networks stated this is unchartered territory.
“I’ve never seen security patch rates this high for any system, much less one as widely deployed as Microsoft Exchange,” he said. “Still, we urge organizations running all versions of Exchange to assume they were compromised before they patched their systems because we know attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2.”
Other countries on Thursday with unpatched internet-connected Exchange servers include:
- Germany – 11,000
- U.K. – 4,900
- France – 4,000
- Italy – 3,700
- Russia – 2,900
- Switzerland – 2,500
- Australia – 2,200
- China – 2,100
- Austria – 1,700
- Netherlands – 1,600