Exchange Server Vulnerability: Hackers Deploying Ransomware - Microsoft Alert

Exchange Server Vulnerabilities Exploited for Ransomware Attacks

Microsoft has issued a warning regarding the exploitation of recently identified weaknesses within Exchange email servers. This activity is leading to the deployment of ransomware, potentially endangering a significant number of email servers – estimated in the tens of thousands – with devastating attacks.

New Ransomware Strain: DoejoCrypt

The technology corporation announced via Twitter on Thursday that a new file-encrypting malware, designated DoejoCrypt (also known as DearCry), has been detected. This malware leverages the same four vulnerabilities previously associated with Hafnium, a hacking group believed to be state-sponsored by China.

Successfully exploiting these vulnerabilities in combination grants attackers complete control over compromised systems.

Multiple Threat Actors Involved

While Microsoft initially identified Hafnium as the “primary” group exploiting these flaws, their motives appeared to be focused on espionage and intelligence gathering. However, other cybersecurity firms have reported observing multiple other hacking groups taking advantage of the same vulnerabilities. ESET, for example, indicates that at least ten distinct groups are currently actively compromising Exchange servers.

Michael Gillespie, a specialist in ransomware and developer of decryption tools, has confirmed infections with DearCry on numerous vulnerable Exchange servers located in the United States, Canada, and Australia.

Exploit Code and Rapid Spread

The emergence of this new ransomware occurred less than 24 hours after a security researcher released proof-of-concept exploit code for the vulnerabilities on GitHub, a platform owned by Microsoft. The code was promptly removed due to violations of the company’s policies.

Marcus Hutchins, a security researcher with Kryptos Logic, verified the functionality of the exploit code, noting that it required some minor adjustments to operate effectively.

Vulnerable Servers Remain

RiskIQ, a threat intelligence firm, reported detecting over 82,000 vulnerable servers as of Thursday. However, this number is currently decreasing. Despite the decline, hundreds of servers belonging to financial institutions and healthcare providers remain affected, alongside more than 150 servers within the U.S. federal government.

This represents a substantial reduction from the nearly 400,000 vulnerable servers identified when Microsoft initially disclosed the vulnerabilities on March 2nd.

Patching and Ongoing Risk

Microsoft released security patches last week to address these vulnerabilities. However, these patches do not automatically remove attackers who have already gained access to compromised servers. Both the FBI and CISA, the federal government’s cybersecurity advisory body, have cautioned that these vulnerabilities pose a significant threat to businesses throughout the United States.

Anticipated Increase in Ransomware Activity

John Hultquist, Vice President of Analysis at FireEye’s Mandiant threat intelligence unit, predicts that additional ransomware groups will attempt to capitalize on the situation.

“While many organizations that remain unpatched may have already been targeted by cyber espionage campaigns, criminal ransomware operations could present a greater risk by disrupting operations and extorting victims through the release of stolen email data,” Hultquist stated.

Early Stage Startup Event

Early Stage is a leading event providing practical guidance for startup entrepreneurs and investors. Attendees will gain insights directly from successful founders and venture capitalists regarding business development, fundraising, and portfolio management.

The event covers all facets of company building, including fundraising strategies, talent acquisition, sales techniques, achieving product-market fit, public relations, marketing, and brand development. Each session incorporates dedicated time for audience questions and interactive discussion.

A 20 percent discount on tickets is available using the code “TCARTICLE” at checkout.