Exchange Hafnium Attackers Now Using Ransomware
Another reason to patch early and patch often: The Exchange Server zero-day vulnerabilities Microsoft first disclosed earlier this month are now being used in ransomware.
As Microsoft disclosed on March 2, the vulnerabilities enable attackers to access e-mail accounts and install leave-behind malware. Microsoft has issued out-of-band patches for the vulnerabilities in Exchange Server 2019 and Exchange Server 2016.
The Microsoft Threat Intelligence Center (MSTIC) attributed the campaign to a state-sponsored group it calls Hafnium that operates out of China and primarily targets entities in the United States. The initial focus was on pre-patch/pre-discovery attacks, as well as an acceleration in post-patch activity as attackers raced to beat the patches.
Now Microsoft has confirmed that ransomware organizations have gotten in on the action.
"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," the Microsoft Security Intelligence tweeted.
The @MsftSecIntel account also noted that Microsoft Defender customers with automatic updates turned on don't need to take additional action to protect against the DearCry ransomware. That official Microsoft account also reiterated the urgent call to patch vulnerable Exchange Servers and take other related steps.
One ransomware security researcher said the speed with which the vulnerabilities were converted to ransomware was remarkable.
"What this shows is the acceleration of the development of the ransomware actors and their maturity," said Allan Liska with Recorded Future in an interview. "If you go back to ZeroLogin, which was released in August, we didn't see ransomware actors exploiting that until October, which was a two-month gap. Here there was a nine-day gap. It shows how quickly they're growing and maturing in terms of being able to take advantage of exploits."
Posted by Scott Bekker on 03/12/2021 at 1:01 PM