Exchange: ProxyLogon exploited by ransomware

Exchange

Despite a questionable delay, Microsoft has released patches that fix the four Exchange Server vulnerabilities (known as ProxyLogon), but the threats aren't over. Some attackers have in fact exploited the bugs to install the DearCry ransomware. Meanwhile, the Redmond company has removed a tool from GitHub that allowed it to perform attacks against Exchange servers.

Exchange ProxyLogon: Ransomware attack

DearCry was discovered by Michael Gillespie, the creator of the ID Ransomware site which allows you to identify the ransomware through the ransom note or an encrypted file. Many users have started uploading files since March 9th. Gillespie then found that nearly all of them were sent from Microsoft Exchange servers.

A Microsoft Security Program Manager confirmed that DearCry ransomware was installed on outdated servers.

Microsoft observed a new family of human operated ransomware attack customers - detected as Ransom: Win32 / DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel

- Phillip Misner (@phillip_misner) March 12, 2021



The Redmond company has again advised users to install patches as soon as possible released earlier this month.

Microsoft Defender customers utilizing automatic updates do not need to take additional action to receive these protections. On-premises Exchange Server customers should prioritize the security updates outlined here: https://t.co/DL1XWnitYO

- Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021



DearCry encrypts files on your computer (adding the .crypt extension) with AES 256-bit and RSA 2048-bit encryption. To access the files again, the author of the ransomware must be contacted by email. At least one of the victims was asked for a ransom of $ 16,000.

According to research by ESET, there are currently at least 10 groups of cybercriminals who have exploited the four Exchange Server vulnerabilities. According to Palo Alto Networks, there are over 125,000 servers still vulnerable worldwide.

This is surely why Microsoft has removed the code of a "proof-of-concept" tool from GitHub that allows you to run attacks, exploiting two of the four vulnerabilities. The author (a Vietnamese security researcher) explained that he just wanted to inform users. Some colleagues have criticized Microsoft's decision, speaking of censorship. Others instead support the choice because the tool was too dangerous.

"Has already been patched". Dude, there's more than 50,000 unpatched exchange servers out there. Releasing a full ready to go RCE chain is not security research, it's recklessness and stupid.

- MalwareTech (@MalwareTechBlog) March 11, 2021



This is the answer Microsoft Official:

We understand that publishing and distributing the exploit proof of concept code has educational and research value for the community and our goal is to balance that benefit with maintaining the security of the ecosystem. Under our Acceptable Use Policies we have disabled the gist following reports of the presence of the code to exploit a recently disclosed vulnerability.

Source: Bleeping Computer

---

Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.

Microsoft is warning Exchange customers once again to apply the emergency patches it released last week for critical flaws affecting on-premise Exchange email servers. 

Microsoft urged customers on March 2 to install the patches immediately due to the risk that more cybercriminals and state-backed hackers would exploit the flaws in coming weeks and months. 

SEE: Network security policy (TechRepublic Premium)

It said existing attacks were being carried out by a Chinese hacking group it calls Hafnium. However, security vendor ESET reported yesterday that at least 10 state-backed hacking groups were now attempting to exploit flaws in unpatched Exchange servers.   

And now cyber criminals are looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft. 

'We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,' Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft's Defender antivirus will detect the new threat.  

Microsoft added that customers using Microsoft Defender antivirus that use automatic updates don't need to take additional action after patching the Exchange server. 

Microsoft appears to be treating this set of Exchange bugs as an urgent one to fix and last week provided further security updates to address the flaw in unsupported versions of Exchange. 

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) last week ordered federal agencies to patch the Exchange flaws or cut vulnerable servers off from the internet. 

CISA further said it is 'aware of threat actors using open-source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020.'

The bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online. 

The attackers were using the bugs to comprise Exchange servers and deploy web shells to steal data and maintain access to servers after initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 

Microsoft has released a script on its code-sharing site GitHub that admins can use to check for the presence of web shells on Exchange servers. 

That script could come in handy when kicking attackers off a previously compromised system. Microsoft security researcher Kevin Beaumont recommended organizations run the script after patching to ensure the web shells are removed. 

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

CISA has advised it 'is aware of widespread domestic and international exploitation of these vulnerabilities' and urged Exchange admins to run Microsoft's Test-ProxyLogon.ps1 script. 

Independent security researchers behind the MalwareHunterTeam account on Twitter say they've seen attacks on companies in Canada, Denmark, United States, Australia, Austria, with the first victims observed on March 9 — just seven days after Microsoft issued the patch and warned Exchange customers to patch immediately. 

CISA strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised.