Feds & researchers warn about ransomware attacks using Exchange vulnerability

Posted:
in General Discussion edited March 2021
Microsoft, assorted security researchers, and the US Federal Government are all warning that assailants are actively exploiting zero-day vulnerabilities in Exchange email servers to deliver ransomware.

Credit: AppleInsider
Credit: AppleInsider


Microsoft on Thursday said that it had detected a new family of ransomware dubbed, DoejoCrypt.A or DearCry, being delivered via Exchange vulnerabilities. The attacks are using the same four vulnerabilities that were previously linked to Chinese-backed hacking group Hafnium. When chained together, the vulnerabilities allow an attacker to take full control of a compromised system.

Ransomware expert Michael Gillespie said vulnerable exchange servers in the U.S., Canada, and Australia had been hit with DearCry.

#Exchange Servers Possibly Hit With #Ransomware
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look. pic.twitter.com/wPCu2v6kVl

-- Michael Gillespie (@demonslay335)


Microsoft has since confirmed that the server vulnerabilities were being used in human-operated ransomware attacks, which are much more targeted and directed. The new ransomware comes about a day after a security researcher briefly published proof-of-concept code exploiting the vulnerabilities to GitHub.

The vulnerabilities have since been fixed, but those fixes can't purge an attacker form an already compromised network. Additionally, Palo Alto Networks has told BleepingComputer that there are nearly 80,000 older servers that cannot be manually patched.

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Agency, have said that the vulnerabilities pose a major risk to U.S. businesses. On March 6, reports suggested that the attack had affected more than 30,000 organizations.

Other than Hafnium itself, reports also indicate that other criminal hacking groups are piling on with their own attacks leveraging the vulnerabilities.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 4
    larryjwlarryjw Posts: 1,031member
    This attack might be a good example to support planned obsolescence and the requirement to force systems to be upgraded to continue running. 


    jony0retrogusto
  • Reply 2 of 4
    GeorgeBMacGeorgeBMac Posts: 11,421member
    larryjw said:
    This attack might be a good example to support planned obsolescence and the requirement to force systems to be upgraded to continue running. 



    Unfortunately, that will not fix either of the last two major attacks because, in both cases, hackers installed software on an untold number of servers that let them monitor and control those servers remotely.   Fixing the door after the burgler is inside the house only keeps out new burglers -- who, in the case of Microsoft systems, will just come in through an open window anyway.

    We will never make Microsoft systems secure.
    Instead we, with the help of Microsoft and hardware vendors need to do two things:
    1)   Physically separate software and data
    2)   When a breach or vulnerability is detected, if there is any doubt the system has been compromised, wipe the software and reinstall clean.
    Alex1N
  • Reply 3 of 4
    DAalsethDAalseth Posts: 2,783member
    larryjw said:
    This attack might be a good example to support planned obsolescence and the requirement to force systems to be upgraded to continue running. 



    Unfortunately, that will not fix either of the last two major attacks because, in both cases, hackers installed software on an untold number of servers that let them monitor and control those servers remotely.   Fixing the door after the burgler is inside the house only keeps out new burglers -- who, in the case of Microsoft systems, will just come in through an open window anyway.

    We will never make Microsoft systems secure.
    Instead we, with the help of Microsoft and hardware vendors need to do two things:
    1)   Physically separate software and data
    2)   When a breach or vulnerability is detected, if there is any doubt the system has been compromised, wipe the software and reinstall clean.
    Good points. 
    The first, to physically separate software and data, harkens back to the Bastion Model they pushed for us at the University I worked at. The Financial Systems database was a separate system, physically isolated from other systems. Its only connection was to the one with the customer interface, the Bastion. Users could log into the Bastion and run queries, but what the Bastion could do to the database server was strictly limited. Malware might be injected into the Bastion but could not propagate upstream to infect the DB Server. Any interfaces between the DB server and other systems, such as the Payroll system, or the Accounting system were strictly inside the server room. Those systems themselves had their own Bastions for users to interact with. Any programming changes to our systems had to be done within the server complex. Outside VPN/VNC connections were not allowed to the critical servers. Sometimes this was a PITA for the programmers, but that's the way it was.

    As far as doing a Nuke and Pave when there is a breach, we did that for desktop systems. A bit harder to do with servers, but there were times...
    GeorgeBMacAlex1N
  • Reply 4 of 4
    GeorgeBMacGeorgeBMac Posts: 11,421member
    DAalseth said:
    larryjw said:
    This attack might be a good example to support planned obsolescence and the requirement to force systems to be upgraded to continue running. 



    Unfortunately, that will not fix either of the last two major attacks because, in both cases, hackers installed software on an untold number of servers that let them monitor and control those servers remotely.   Fixing the door after the burgler is inside the house only keeps out new burglers -- who, in the case of Microsoft systems, will just come in through an open window anyway.

    We will never make Microsoft systems secure.
    Instead we, with the help of Microsoft and hardware vendors need to do two things:
    1)   Physically separate software and data
    2)   When a breach or vulnerability is detected, if there is any doubt the system has been compromised, wipe the software and reinstall clean.
    Good points. 
    The first, to physically separate software and data, harkens back to the Bastion Model they pushed for us at the University I worked at. The Financial Systems database was a separate system, physically isolated from other systems. Its only connection was to the one with the customer interface, the Bastion. Users could log into the Bastion and run queries, but what the Bastion could do to the database server was strictly limited. Malware might be injected into the Bastion but could not propagate upstream to infect the DB Server. Any interfaces between the DB server and other systems, such as the Payroll system, or the Accounting system were strictly inside the server room. Those systems themselves had their own Bastions for users to interact with. Any programming changes to our systems had to be done within the server complex. Outside VPN/VNC connections were not allowed to the critical servers. Sometimes this was a PITA for the programmers, but that's the way it was.

    As far as doing a Nuke and Pave when there is a breach, we did that for desktop systems. A bit harder to do with servers, but there were times...

    I wish I could take credit for thinking of those concepts, but it was just the way I was trained and the way I lived my 20 years in IT.

    Maybe its time that we went back to those days. 
    Alex1N
Sign In or Register to comment.