Bekker's Blog

Blog archive

Now There's Ransomware for Those Exchange Vulnerabilities

A little more than a week after being revealed in on-premises Exchange Servers, some of the zero-day vulnerabilities are appearing in ransomware, adding further urgency to the associated patches.

Microsoft disclosed the existence on March 2 of four zero-day vulnerabilities in certain versions of Exchange that enabled access to e-mail accounts and allowed attackers to install leave-behind malware. The announcement included patches for the vulnerabilities in Exchange Server 2019 and Exchange Server 2016.

The Microsoft Threat Intelligence Center (MSTIC) attributed the campaign to a state-sponsored group it calls Hafnium that operates out of China and primarily targets entities in the United States. The initial focus was on pre-patch/pre-discovery attacks, as well as an acceleration in post-patch activity as attackers raced to beat the patches.

Now Microsoft has confirmed that ransomware organizations have gotten in on the action.

"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," the Microsoft Security Intelligence tweeted.

The @MsftSecIntel account also noted that Microsoft Defender customers with automatic updates turned on don't need to take additional action to protect against the DearCry ransomware. That official Microsoft account also reiterated the urgent call to patch vulnerable Exchange Servers and take other related steps.

One ransomware security researcher said the speed with which the vulnerabilities were converted to ransomware was remarkable.

"What this shows is the acceleration of the development of the ransomware actors and their maturity," said Allan Liska with Recorded Future in an interview. "If you go back to ZeroLogin, which was released in August, we didn't see ransomware actors exploiting that until October, which was a two-month gap. Here there was a nine-day gap. It shows how quickly they're growing and maturing in terms of being able to take advantage of exploits."

Posted by Scott Bekker on March 12, 2021 at 12:58 PM


Featured

  • Broadcom Acquiring VMware in Third Largest Tech Deal in History

    Confirming reports that surfaced this weekend, semiconductor company Broadcom announced on Thursday that it was acquiring virtualization pioneer VMware for $61 billion.

  • Microsoft Build 2022 Keynote: AI and Cloud Take Center Stage

    Microsoft's role as builder of platforms for organizations was the theme of Tuesday's Build keynote by CEO Satya Nadella.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • 2022 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.