This Sunday security researcher Marcus Hutchins discovered Microsoft Exchange servers are now being targeted by BlackKingdom ransomware. Marcus, MalwareTechBlog on Twitter, tweeted his findings that a threat actor was compromising all vulnerable Exchange servers via ProxyLogon vulnerability. 

Experts Comments

March 23, 2021
Saryu Nayyar
CEO
Gurucul

As long as there are still unpatched Microsoft Exchange servers accessible on the open internet, we will see attacks like this. The payloads may change depending on what the threat actor is after, but they will continue to leverage the vulnerabilities in Exchange Server until there aren't any vulnerable hosts to exploit.

 

This series of attacks is a reminder how important it is to maintain on-premises software with security patches, and to make sure the local environment is protected with an

.....Read More

As long as there are still unpatched Microsoft Exchange servers accessible on the open internet, we will see attacks like this. The payloads may change depending on what the threat actor is after, but they will continue to leverage the vulnerabilities in Exchange Server until there aren't any vulnerable hosts to exploit.

 

This series of attacks is a reminder how important it is to maintain on-premises software with security patches, and to make sure the local environment is protected with an up to date security stack.

  Read Less
March 23, 2021
Jorge Orchilles
CTO
SCYTHE

The trend of state actors and ransomware groups using the same exploits is common. We saw it with nation states using EternalBlue followed by WannaCry and NotPetya ransomware. When an exploit is new and relatively unknown, it is exploited by the more sophisticated groups that have access to it. As the exploit becomes more known, other groups focused on monetizing the exploit will begin to use them. Today, those groups focus on dropping ransomware after the initial access.

 

At this point, if

.....Read More

The trend of state actors and ransomware groups using the same exploits is common. We saw it with nation states using EternalBlue followed by WannaCry and NotPetya ransomware. When an exploit is new and relatively unknown, it is exploited by the more sophisticated groups that have access to it. As the exploit becomes more known, other groups focused on monetizing the exploit will begin to use them. Today, those groups focus on dropping ransomware after the initial access.

 

At this point, if there is an external facing Exchange server that has not been patched, it most likely has multiple threat actors fighting over access to leverage the access.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.