Now There's Ransomware for Those Exchange Vulnerabilities
A little more than a week after being revealed in on-premises Exchange Servers, some of the zero-day vulnerabilities are appearing in ransomware, adding further urgency to the associated patches.
Microsoft disclosed the existence on March 2 of four zero-day vulnerabilities in certain versions of Exchange that enabled access to e-mail accounts and allowed attackers to install leave-behind malware. The announcement included patches for the vulnerabilities in Exchange Server 2019 and Exchange Server 2016.
The Microsoft Threat Intelligence Center (MSTIC) attributed the campaign to a state-sponsored group it calls Hafnium that operates out of China and primarily targets entities in the United States. The initial focus was on pre-patch/pre-discovery attacks, as well as an acceleration in post-patch activity as attackers raced to beat the patches.
Now Microsoft has confirmed that ransomware organizations have gotten in on the action.
"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," the Microsoft Security Intelligence tweeted.
The @MsftSecIntel account also noted that Microsoft Defender customers with automatic updates turned on don't need to take additional action to protect against the DearCry ransomware. That official Microsoft account also reiterated the urgent call to patch vulnerable Exchange Servers and take other related steps.
One ransomware security researcher said the speed with which the vulnerabilities were converted to ransomware was remarkable.
"What this shows is the acceleration of the development of the ransomware actors and their maturity," said Allan Liska with Recorded Future in an interview. "If you go back to ZeroLogin, which was released in August, we didn't see ransomware actors exploiting that until October, which was a two-month gap. Here there was a nine-day gap. It shows how quickly they're growing and maturing in terms of being able to take advantage of exploits."
Posted by Scott Bekker on March 12, 2021