Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry that is targeting unpatched Exchange servers still exposed to the exploited vulnerabilities.
<p><span lang=\"EN-US\">Modern cybercriminals are quick to initiate large-scale exploitation campaigns for all significant vulnerabilities present in a sufficient number of production systems. Some cyber gangs gather terabytes of OSINT intelligence about Internet software, and once there is a 0day, they sell compiled lists of IP addresses or URLs known to run the vulnerable software to other gangs. This bolsters both the speed and efficiency of the exploitation. Combined with ransomware, such hacking campaigns bring huge and easy profits to perpetrators.</span></p> <p> </p> <p><span lang=\"EN-US\">However, today, I don’t see any special risks in the continuous exploitation of Microsoft Exchange flaws. First, some of the 0days require special exploitation conditions (e.g. user account or accessible OWA web interface for the SSRF RCE). Thus, breached organizations likely failed to implement some security hardening or IDR processes. Moreover, organizations that are still unpatched, are likely grossly negligent and probably have been already compromised before by a myriad of other vulnerabilities and attack vectors.</span></p>
<p style=\"font-weight: 400;\">We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term. Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails. Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted. </p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">This attack vector may be particularly attractive to ransomware operators because it is an especially efficient means of gaining domain admin access. That access enables them to deploy encryption across the enterprise. In cases where organizations are unpatched, these vulnerabilities will provide criminals a faster path to success.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">Unfortunately, many of the remaining vulnerable organizations will be small and medium-sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics