Experts Statements On New Ransomware Threat To Unpatched Microsoft Exchange Servers

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry that is targeting unpatched Exchange servers still exposed to the exploited vulnerabilities.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
March 15, 2021 3:27 pm

<p><span lang=\"EN-US\">Modern cybercriminals are quick to initiate large-scale exploitation campaigns for all significant vulnerabilities present in a sufficient number of production systems. Some cyber gangs gather terabytes of OSINT intelligence about Internet software, and once there is a 0day, they sell compiled lists of IP addresses or URLs known to run the vulnerable software to other gangs. This bolsters both the speed and efficiency of the exploitation. Combined with ransomware, such hacking campaigns bring huge and easy profits to perpetrators.</span></p> <p> </p> <p><span lang=\"EN-US\">However, today, I don’t see any special risks in the continuous exploitation of Microsoft Exchange flaws. First, some of the 0days require special exploitation conditions (e.g. user account or accessible OWA web interface for the SSRF RCE). Thus, breached organizations likely failed to implement some security hardening or IDR processes. Moreover, organizations that are still unpatched, are likely grossly negligent and probably have been already compromised before by a myriad of other vulnerabilities and attack vectors.</span></p>

Last edited 1 year ago by Ilia Kolochenko
John Hultquist
John Hultquist , Director of Intelligence Analysis
InfoSec Expert
March 15, 2021 1:44 pm

<p style=\"font-weight: 400;\">We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term. Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails. Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">This attack vector may be particularly attractive to ransomware operators because it is an especially efficient means of gaining domain admin access. That access enables them to deploy encryption across the enterprise. In cases where organizations are unpatched, these vulnerabilities will provide criminals a faster path to success.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Unfortunately, many of the remaining vulnerable organizations will be small and medium-sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit.</p>

Last edited 1 year ago by John Hultquist
Would love your thoughts, please comment.x