Ransomware Attacks Using Microsoft Exchange Exploits By Cybersecurity Specialist Harsh Panchal

According to ShadowServer, more than 68,500 servers have been compromised from the recent Microsoft Exchange Cyber Attack. In our previous blog, we have discussed the new emerging threat of Microsoft Exchange Servers and how they're affecting companies, and the countermeasures you can take to reduce the risk and protect your organisation if you're using Microsoft Exchange servers on-premises. But the threat still does not end there. In this blog, we will discuss some of the malware attacks that have been seen due to the Exchange vulnerabilities.

One of the vulnerabilities called ProxyLogon (CVE-2021-26855) enables the attacker to bypass the authentication and compromise the administrator access of the Microsoft Exchange Servers. This vulnerability was found by a security researcher named Orange Tsai back on the 10th of December 2020. Tsai also discovers another post-authentication vulnerability linked with the ProxyLogin, CVE-2021-27065 which allows the attacker to execute arbitrary code on the authenticated system. These both vulnerabilities are used together to perform Pre-Auth RCE (Remote Code Execution) exploit that was reported to Microsoft on the 5th of January 2021. A full timeline of these vulnerabilities can be found here.

Just after a few days when Microsoft first released a guideline and advisory on Microsoft Exchange Server threat, one of the security researcher Phillip Misner working at Microsoft Security Intelligence and Microsoft Defender Team confirmed that attackers are exploiting the vulnerabilities and installing new ransomware called DoejoCrypt also known as DearCry using Microsoft Exchange exploits.

DearCry shares some of the attributes from WannaCry ransomware that has impacted so many organisations and governments in 2017 and security researcher Marcus Hutchins neutered the attack. McAfee CEO, Raj Samani also released the exposure showing the countries that are affected by the DearCry ransomware attack.

Recently, Sophos has also reported another malware called the Black KingDom. that has been following the DearCry ransomware attacks, taking advantage of the ProxyLogon Microsoft Exchange Vulnerabilities and asking to pay $10,000 in bitcoins to decrypt the data. According to Sophos, this is one of the most sophisticated payloads they've ever seen. Furthermore, it has been disclosed that more than 1.5K systems have been compromised from the Black Kingdom ransomware attack.

These attacks demonstrate the importance of good vulnerability management and procedure that companies should adopt to mitigate and protect against such threats. If you would like to find out if you're organisation have been affected by any of these vulnerabilities or require any vulnerability management assistance get in touch with us at hello@techforce.co.uk

Article by Harsh Panchal, Cybersecurity Specialist at TechForce

Connect with Harsh on LinkedIn