News

Microsoft Warns Unpatched Exchange Servers Subject to 'DearCry' Ransomware

• By Kurt Mackie
• 03/12/2021

Exchange Servers are getting attacked to install ransomware, dubbed "DearCry," Microsoft warned on Thursday.

The attacks are targeting unpatched Exchange Servers using a new ransomware family, Microsoft added in a terse Twitter post with few details. By "unpatched," Microsoft means its out-of-band security patches released on March 2 haven't been installed on various Exchange Server products. This new ransomware apparently was first detected and reported by researcher Michael Gillespie at the ID-Ransomware Web site, per this Friday Kaspersky Threatpost article.

Update 3/15: In a Friday post acknowledging the new ransomware attacks, Microsoft estimated that about 82,000 Exchange Server implementations hadn't yet been patched, down from an initial 400,000 unpatched servers observed on March 1, per RiskIQ data.

Microsoft's March 2 patches address four zero-day Exchange Server flaws that are being exploited by an advanced persistent threat group (APT) dubbed "Hafnium" by Microsoft. The Exchange Online service isn't subject to these exploits, though.

Spike in Exchange Server Attacks
Attacks on Exchange Server implementations worldwide have "tripled every two hours" since Microsoft's patch release on March 2, according to a Thursday announcement by Check Point Software.

The Hafnium group is thought to have used the four flaws in combination to carry out a widespread government and industry espionage campaign. However, the spike in activity cited by Check Point seems to be coming from other attackers besides the Hafnium APT group because they aren't completing all of the attack steps.

"To date, hackers have yet to carry out the full chain of attack successfully," the Check Point researchers noted regarding these more recent Exchange Server attacks.

The chaining of the four zero-day flaw Exchange Server exploits was labeled as a "ProxyLogon" attack in this BleepingComputer article. Security solutions company Volexity has characterized one of the Exchange Server flaws (CVE-2021-26855) as a "zero-day server-side request forgery vulnerability," which was used in conjunction with the other exploits to steal mailbox content.

Other Attack Groups
Security researchers at ESET Research observed spikes in installed Webshells associated with the Exchange Server exploits since Microsoft's March 2 out-of-band patch release. These Webshells were detected on more than 5,000 servers, the researchers added in a Wednesday ESET announcement.

ESET named more than 10 other APT groups, excluding Hafnium, that were involved in the Exchange Server attacks. These groups have names such as "Tick, LuckyMouse, Calypso and the Winnti Group," among others.

Like Hafnium, these other APT groups apparently are mostly using the zero-day flaws in Exchange Server to conduct espionage, dropping Webshells for the purpose. However, ESET's announcement included a timeline showing that these groups also were using the Exchange Server exploits days before Microsoft's March 2 patch release, as early as Feb. 28.

Based on its timeline, the new attacks being seen this week aren't happening because Microsoft's March 2 patches got reverse engineered, according to ESET:

This [ESET chronology] suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates.

In other words, lots of attack groups knew about the Exchange Server zero-day flaws in advance of Microsoft's patch release and were conducting early attacks.

Proof-of-Concept Code Published and Removed
More recently, a security researcher published proof-of-concept code on GitHub, illustrating the Exchange Server exploits. GitHub is a Microsoft-owned code repository.

That proof-of-concept code got published on Wednesday, but it was taken down hours later by GitHub. Details are recounted in this Vice story.