Exchange Week 2 – Ransomware Joins The Fray

Following exposure and publication of a major remote execution vulnerability like Exchange’s ProxyLogon (CVE-2021-26855), we expect other threat actors to join the race against system administrators trying to patch their systems.

Initial reporting showed the threat actor dubbed HAFNIUM were quietly exploiting these vulnerabilities since at least January 2021. Following the release of patches and responsible disclosure by Volexity that followed, it was reported that up to 10 threat actors had begun actively attacking unpatched servers across the world.

Today we have confirmation that a NEW Ransomware variant was unleashed utilizing the Exchange ProxyLogon exploit.

Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel

— Phillip Misner (@phillip_misner) March 12, 2021

The earliest report of this malware appears to be from 9 March in the BleepingComputer forum where the MalwareHunterTeam confirmed it’s novelty and relatively limited early distribution thus far.

No new confirmed company victims seen yesterday and until now today on IDR for this. So it's not that very widespread (yet?). But also you can expect other (especially big) ransomware gangs to start exploiting this (or using already placed backdoors by others), if not already…

— MalwareHunterTeam (@malwrhunterteam) March 12, 2021

RECOMMENDATIONS:

Most Important: Patch your Microsoft Exchange exposed servers.

Regardless of when you patched, you need to assume you were compromised. The threat actors threw internet-wide scans across the world exploiting exchange servers enmass following disclosure last week. Some of these left silent backdoors waiting to be exploited following the application of patches – we should assume some of these will be used to deliver ransomware in the future.

Post exploit detection can be done effectively using Infocyte’s WebShell and Hafnium scanner which consolidates all-source threat intelligence and recommendations from Microsoft. Combined with our much more sophisticated rootkit and implant detection capabilities, it is the most comprehensive threat hunt you can perform on your exchange servers and surrounding systems.

Sign up today for a free guided assessment of your systems — our team is available to assist anyone going through an exchange-related breach.

Infocyte Team

The post Exchange Week 2 – Ransomware Joins The Fray appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at: https://www.infocyte.com/blog/2021/03/12/exchange-week-2-ransomware-joins-the-fray/