Just as security experts feared, multiple reports have now confirmed that threat actors are exploiting the Microsoft Exchange email (opens in new tab) server zero-day vulnerabilities to deliver ransomware (opens in new tab).
Chinese state-sponsored threat actors known as Hafnium were the first to exploit (opens in new tab) the vulnerabilities. Security experts warned that more threat actors were bound to exploit the now-patched vulnerabilities, amidst news of ESET identifying over 5000 compromised exchange servers (opens in new tab).
It’s now being reported that several users from the US, Canada and Australia, have submitted details about the DearCry ransomware being planted on their Exchange servers.
- Here are the best firewall apps and services (opens in new tab)
- Check out our roundup of the best identity theft protection (opens in new tab) tools
- These are the best password recovery (opens in new tab) services right now
No end in sight
The details come from Michael Gillespie, who runs the ransomware identification site ID-Ransomware. On March 9 he noted the new submissions, which upon review revealed that they all were from Microsoft Exchange servers.
On the same day, a user on BleepingComputer’s forum boards shared details about the same DearCry ransomware attack on his Exchange servers using the now infamous Hafnium vulnerabilities.
Microsoft has now confirmed that the Exchange server vulnerabilities are indeed being exploited in human-operated attacks to deploy the DearCry ransomware. Human-operated attacks are more personalized and directed and conducted by humans who compromise a system’s security manually, instead of using a worm for mass attacks.
In a shocking revelation, Palo Alto Networks told BleepingComputer that while thousands of Exchange servers have been patched over the last few days, there are about 80,000 installations that are too old to directly apply the patches.
They also urge organizations to check their systems for signs of compromise (opens in new tab) even if they have applied the patches since they believe the attackers had a free run for months before the vulnerabilities were fixed.
- Protect your devices with these best antivirus software (opens in new tab)
Via: BleepingComputer (opens in new tab)