DearCry ransomware appends .CRYPT to forcibly encrypted files. (Source: Sophos)
Fresh ransomware targeting as-yet-unpatched on-premises Exchange servers appears to have been rushed to market, with attackers seeking to capitalize on new opportunities before the competition stepped in, security firm Sophos reports.
Sophos has published a teardown of the new DearCry ransomware, which it describes as being unsophisticated and apparently created by a beginner. The ransomware was first spotted in the wild on March 9.
DearCry targets a critical proxy-logon flaw in Microsoft Exchange email servers, which was one of four zero-day flaws Microsoft patched via software updates issued on March 2, when it warned that the flaws were already being exploited in the wild.
BankInfoSecurity
May 5, 2021 Twitter Get Permission
It has been an open question as to how a half-dozen hacking groups began exploiting Exchange servers in an automated fashion in the days leading up to Microsoft s patches. But there are strong signs that exploit code leaked, and the question now is: Who leaked it?
A Taiwanese computer security researcher indicated on Friday that exploit code he developed and privately shared with Microsoft in early January ended up in hostile hands.
It s an unsatisfactory prospect that how the Exchange exploit leak occurred may never be solved. But it may direct questions back to Microsoft as to whether the MAPP is still worth it.
The most targeted industry sectors have been government and military (23% of all exploit attempts), followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%), said researchers.
The attacks have been ongoing since the recently disclosed vulnerabilities on Microsoft Exchange Server. Orange Tsai (Cheng-Da Tsai) from DEVCORE, a security firm based in Taiwan, reported two vulnerabilities in January. On further investigation, Microsoft uncovered five more critical vulnerabilities.
According to Check Point Research analysts, the vulnerabilities allow an attacker to read emails from an Exchange server without authentication or accessing an individual’s email account. Further vulnerability chaining enables attackers to completely take over the mail server. Once a hacker gains control of an Exchange server, they can open the network to the internet and access it remotely, posing a critical security risk for millions of organization
Serious vulnerabilities in Microsoft Exchange have been exploited by at least 10 APT groups that have been collectively been hitting thousands of companies over the
Source: Microsoft, Bleeping Computer
Ransomware-wielding attackers have begun to exploit a serious proxy-logon flaw in unpatched versions of Microsoft Exchange running on premises, Microsoft reports. Hackers have exploited the flaw to access vulnerable servers, crypto-lock files and demand a ransom from victims in return for the promise of a decryption tool.
News of the attack campaign follows Microsoft on March 2 issuing emergency patches to fix four zero-day flaws in Microsoft Exchange, which is one of the most widely used pieces of IT infrastructure in the world. Because we are aware of active exploits of related vulnerabilities in the wild, Microsoft said in its March 2021 Exchange Server Security Updates alert, which it continues to update, our recommendation is to install these updates immediately to protect against these attacks.