The News: On Thursday, March 11th Microsoft detected and reported via Twitter the blocking of a new family of ransomware being used after the initial compromise of unpatched on-prem Exchange Servers. This ransomware, DoejoCrypt or Dear Cry, represents more security woes for Microsoft and is related to the Microsoft Exchange Server hack allegedly perpetrated by Chinese state-sponsored hackers, vulnerabilities announced last week and. Read more at CRN.
More Security Woes for Microsoft’s Exchange Servers as Threat Actors Get Busy — Patching is Urgent
Analyst Take: Microsoft acknowledged late last week more security woes in the wake of the Microsoft Exchange Server hack. On-prem Microsoft servers that remain unpatched the following week are now vulnerable to DearCry ransomware being deployed by threat actors. Microsoft Security Program Manager Phillip Misner tweeted at 9:19pm ET on Thursday, March 11th, that “Microsoft observed a new family of human operated ransomware attack customers … [h]uman operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”
The good news is that this announcement came quick, just two hours after it was reported that hackers were taking advantage of server vulnerabilities to install ransomware.
Microsoft followed up the evening announcement at 11:53 pm ET on Thursday with the following: “We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as … DearCry.”
Microsoft advised that Defender customer utilizing automatic updates do not need to take additional action to receive protection but provided instructions to on-prem Exchange Server customers to prioritize the needed security updates.
What’s the Damage? Some Microsoft Exchange Customers Have Not Yet Updated Their Exchange Environments Posing Considerable Risk
What’s the damage? Short answer, there’s no way to know at this point. SC Media reports that at this point it appears as though the biggest motive here is an espionage mission by the Chinese, although there is one of the original 10 clusters of activity that was determined to be of criminal intent, installing cryptomining malware.
Beyond espionage targets, much risk remains for enterprises and beyond. These vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account and can ultimately be enabled to take over the email server itself. Once they do that, threat actors can open the network to the internet and attack it remotely, which opens the door to considerable security risk for millions of organizations.
There remain many Microsoft Exchange customers who have not yet updated their Exchange environments, despite the fact that both Microsoft and security experts the world over have described the situation as grave and recommend immediate patching and searching for the presence of web shells and other signs that indicate compromise. Check Point Security opines that “if your organization’s Microsoft Exchange server is exposed to the internet and has not been updated with the latest patches nor protected by a third party software (such as Check Point), then you should assume the server is completely compromised. Compromised servers could enable an unauthorized hacker to extract your corporate emails and execute malicious code inside your organization with high privileges.”
It is speculated that the scope of the compromise here is potentially larger than originally thought, as there are tens of thousands of Exchange customers around the world. While enterprise and high-profile government organizations are at risk, public sector organizations of all sizes, and small/midsize businesses are equally at risk, as hackers have rushed in and are looking for low-hanging fruit and opportunities to exploit. Note that it’s estimated by some security experts that there have (so far) been 60,000 victims identified, with at least 10 hacking gangs taking advantage of the opportunity to hack unpatched Exchange Servers. Bloomberg reported that some 14,000 companies had not yet patched the vulnerability, and 30,000 companies that have. In the UK, the National Cyber Security Centre (NCSC) reports it believes over 3,000 Microsoft Exchange email servers have not yet had the critical security patched applied. These numbers, while not in any way small, are likely to be the tip of the iceberg.
Note that there are multiple risks here. One is that the Microsoft Exchange zero-day vulnerabilities can be exploited by threat actors gaining remote code execution, which gives them the ability to get inside a victim’s network, access information, steal data, and do damage that might not be immediately identifiable. With this new threat, hackers are focused elsewhere, deploying the DearCry ransomware will disrupt organizations, demand ransom, hold emails or other data hostage and/or threaten to leak the information.
Is it an Inside Job? Microsoft Investigates the Possibility of a Leak
Bloomberg reported the morning of Friday, March 12th that there may be a leak that might have triggered mass compromises ahead of Microsoft’s patch release following acknowledgment of the breach. Said Bloomberg, “The sources, who weren’t authorized to speak on the matter, said a leak, if indeed there was one, may have come from one of the company’s security or government partners, or from independent researchers. A leak may have been malicious, or it could have been part of a separate security breach.”
Microsoft has produced an additional series of Security Updates (Sus) that can be applied to older (and unsupported) Cumulative Updates (CUs). The company says “The availability of these updates does not mean that you don’t have to keep your environment current. This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. Linked here are instructions on what steps to take from Microsoft’s security blog.
Exploits are Multiplying Rapidly the World Over
Check Point Research reported on Monday, March 15th that they have seen thousands of exploit attempts against organizations worldwide, and the number of attacks has increased tenfold, from 700 on March 11th to over 7,000 on March 15th. The company observed that “exploitation attempts are now doubling every two to three hours.” Not surprisingly, the most targeted sector has been Government/Military (23% of all exploit attempts), Banking & Financial (14%), Software Vendors (7%), and Healthcare (6%).
The company most attacked has been the U.S., reporting 17% of all exploit attempts, followed by Germany (6%), the UK (5%), the Netherlands (5%), and Russia (4%).
In short, Microsoft’s security woes as it relates to the Exchange Server hack and other, subsequent hacking campaigns make it a tough time and what I’m sure are a lot of sleepless nights for both the company, as well as CISOs and their security teams the world over.
In an alert published by the US Cybersecurity and Infrastructure Security Agency (CISA) on Saturday, Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. If you’re not 100% sure, check it now. And patch, baby, patch.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.