According to ShadowServer, more than 68,500 servers have been compromised from the recent Microsoft Exchange Cyber Attack. In our previous blog, we have discussed the new emerging threat of Microsoft Exchange Servers and how they're affecting companies, and the countermeasures you can take to reduce the risk and protect your organisation if you're using Microsoft Exchange servers on-premises. But the threat still does not end there. In this blog, we will discuss some of the malware attacks that have been seen due to the Exchange vulnerabilities.
One of the vulnerabilities called ProxyLogon (CVE-2021-26855) enables the attacker to bypass the authentication and compromise the administrator access of the Microsoft Exchange Servers. This vulnerability was found by a security researcher named Orange Tsai back on the 10th of December 2020. Tsai also discovers another post-authentication vulnerability linked with the ProxyLogin, CVE-2021-27065 which allows the attacker to execute arbitrary code on the authenticated system. These both vulnerabilities are used together to perform Pre-Auth RCE (Remote Code Execution) exploit that was reported to Microsoft on the 5th of January 2021. A full timeline of these vulnerabilities can be found here.
Just after a few days when Microsoft first released a guideline and advisory on Microsoft Exchange Server threat, one of the security researcher Phillip Misner working at Microsoft Security Intelligence and Microsoft Defender Team confirmed that attackers are exploiting the vulnerabilities and installing new ransomware called DoejoCrypt also known as DearCry using Microsoft Exchange exploits.
DearCry shares some of the attributes from WannaCry ransomware that has impacted so many organisations and governments in 2017 and security researcher Marcus Hutchins neutered the attack. McAfee CEO, Raj Samani also released the exposure showing the countries that are affected by the DearCry ransomware attack.
Recently, Sophos has also reported another malware called the Black KingDom. that has been following the DearCry ransomware attacks, taking advantage of the ProxyLogon Microsoft Exchange Vulnerabilities and asking to pay $10,000 in bitcoins to decrypt the data. According to Sophos, this is one of the most sophisticated payloads they've ever seen. Furthermore, it has been disclosed that more than 1.5K systems have been compromised from the Black Kingdom ransomware attack.
These attacks demonstrate the importance of good vulnerability management and procedure that companies should adopt to mitigate and protect against such threats. If you would like to find out if you're organisation have been affected by any of these vulnerabilities or require any vulnerability management assistance get in touch with us at firstname.lastname@example.org
Article by Harsh Panchal, Cybersecurity Specialist at TechForce
A new Windows vulnerability actively exploited using phishing attacks
Early this month Microsoft has published a note on a critical vulnerability that allows attackers to fully gain access to the user device known as MSHTML remote code execution and CVE-2021-4...More
Windows zero-day vulnerability HiveNightmare aka SeriousSAM
HiveNightmare is one of the Windows zero-day vulnerabilities that is currently exploited in the wild. It is also known as SeriousSAM (CVE-2021-36934) due to the nature of the attack includes...More
We are nominated - Making the Difference award through the Northern Star Business Awards AGCC
The finalists have been announced for the Northern Star Business Awards, the Chamber’s annual accolades for successful businesses in the region and TechForce has been shortlisted for Making ...More
Kaseya REvil Ransomware Attack From Our Cybersecurity Specialist Harsh Panchal
Kaseya is one of the largest Managed Service Providers (MSPs) who manages and provides various IT and Cybersecurity services around the world. One of the services is called Kaseya VSA.More
FOR LATEST UPDATES SUBSCRIBE HERE: