New ransomware now attacking Microsoft Exchange users

Lock on Laptop Screen
(Image credit: Future)

Just as security experts feared, multiple reports have now confirmed that threat actors are exploiting the Microsoft Exchange email server zero-day vulnerabilities to deliver ransomware.

Chinese state-sponsored threat actors known as Hafnium were the first to exploit the vulnerabilities. Security experts warned that more threat actors were bound to exploit the now-patched vulnerabilities, amidst news of ESET identifying over 5000 compromised exchange servers.

It’s now being reported that several users from the US, Canada and Australia, have submitted details about the DearCry ransomware being planted on their Exchange servers.

No end in sight

The details come from Michael Gillespie, who runs the ransomware identification site ID-Ransomware. On March 9 he noted the new submissions, which upon review revealed that they all were from Microsoft Exchange servers.

On the same day, a user on BleepingComputer’s forum boards shared details about the same DearCry ransomware attack on his Exchange servers using the now infamous Hafnium vulnerabilities.

Microsoft has now confirmed that the Exchange server vulnerabilities are indeed being exploited in human-operated attacks to deploy the DearCry ransomware. Human-operated attacks are more personalized and directed and conducted by humans who compromise a system’s security manually, instead of using a worm for mass attacks. 

In a shocking revelation, Palo Alto Networks told BleepingComputer that while thousands of Exchange servers have been patched over the last few days, there are about 80,000 installations that are too old to directly apply the patches.

They also urge organizations to check their systems for signs of compromise even if they have applied the patches since they believe the attackers had a free run for months before the vulnerabilities were fixed.

Via: BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.