Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers

Ransomware attackers are now targeting Exchange servers that haven’t received the patches that Microsoft released last week.
Written by Liam Tung, Contributing Writer

Microsoft has issued an alert that hackers using a strain of ransomware known as DearCry are now targeting unpatched Exchange servers still exposed to four vulnerabilities that were being exploited by suspected Chinese government hackers.

Microsoft is warning Exchange customers once again to apply the emergency patches it released last week for critical flaws affecting on-premise Exchange email servers. 

Microsoft urged customers on March 2 to install the patches immediately due to the risk that more cybercriminals and state-backed hackers would exploit the flaws in coming weeks and months. 

SEE: Network security policy (TechRepublic Premium)

It said existing attacks were being carried out by a Chinese hacking group it calls Hafnium. However, security vendor ESET reported yesterday that at least 10 state-backed hacking groups were now attempting to exploit flaws in unpatched Exchange servers.   

And now cyber criminals are looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft. 

"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft's Defender antivirus will detect the new threat.  

Microsoft added that customers using Microsoft Defender antivirus that use automatic updates don't need to take additional action after patching the Exchange server. 

Microsoft appears to be treating this set of Exchange bugs as an urgent one to fix and last week provided further security updates to address the flaw in unsupported versions of Exchange. 

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) last week ordered federal agencies to patch the Exchange flaws or cut vulnerable servers off from the internet

CISA further said it is "aware of threat actors using open-source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020."

The bugs affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, but not Exchange Online. 

The attackers were using the bugs to comprise Exchange servers and deploy web shells to steal data and maintain access to servers after initial compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. 

Microsoft has released a script on its code-sharing site GitHub that admins can use to check for the presence of web shells on Exchange servers. 

That script could come in handy when kicking attackers off a previously compromised system. Microsoft security researcher Kevin Beaumont recommended organizations run the script after patching to ensure the web shells are removed

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

CISA has advised it "is aware of widespread domestic and international exploitation of these vulnerabilities" and urged Exchange admins to run Microsoft's Test-ProxyLogon.ps1 script. 

Independent security researchers behind the MalwareHunterTeam account on Twitter say they've seen attacks on companies in Canada, Denmark, United States, Australia, Austria, with the first victims observed on March 9 — just seven days after Microsoft issued the patch and warned Exchange customers to patch immediately. 

CISA strongly recommends organizations run the Test-ProxyLogon.ps1 script as soon as possible to help determine whether their systems are compromised.

Editorial standards