Experts Statements On New Ransomware Threat To Unpatched Microsoft Exchange Servers

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry that is targeting unpatched Exchange servers still exposed to the exploited vulnerabilities.

Experts Comments

March 15, 2021
Ilia Kolochenko
Founder and CEO
ImmuniWeb

Modern cybercriminals are quick to initiate large-scale exploitation campaigns for all significant vulnerabilities present in a sufficient number of production systems. Some cyber gangs gather terabytes of OSINT intelligence about Internet software, and once there is a 0day, they sell compiled lists of IP addresses or URLs known to run the vulnerable software to other gangs. This bolsters both the speed and efficiency of the exploitation. Combined with ransomware, such hacking campaigns bring

.....Read More

Modern cybercriminals are quick to initiate large-scale exploitation campaigns for all significant vulnerabilities present in a sufficient number of production systems. Some cyber gangs gather terabytes of OSINT intelligence about Internet software, and once there is a 0day, they sell compiled lists of IP addresses or URLs known to run the vulnerable software to other gangs. This bolsters both the speed and efficiency of the exploitation. Combined with ransomware, such hacking campaigns bring huge and easy profits to perpetrators.

 

However, today, I don’t see any special risks in the continuous exploitation of Microsoft Exchange flaws. First, some of the 0days require special exploitation conditions (e.g. user account or accessible OWA web interface for the SSRF RCE). Thus, breached organizations likely failed to implement some security hardening or IDR processes. Moreover, organizations that are still unpatched, are likely grossly negligent and probably have been already compromised before by a myriad of other vulnerabilities and attack vectors.

  Read Less
March 15, 2021
John Hultquist
Director of Intelligence Analysis
FireEye

We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term. Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails. Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted. 

 

This attack

.....Read More

We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term. Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails. Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted. 

 

This attack vector may be particularly attractive to ransomware operators because it is an especially efficient means of gaining domain admin access. That access enables them to deploy encryption across the enterprise. In cases where organizations are unpatched, these vulnerabilities will provide criminals a faster path to success.

 

Unfortunately, many of the remaining vulnerable organizations will be small and medium-sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.