This is a situation that we feared in recent days and which is now a reality: the famous vulnerabilities in Microsoft Exchange servers are no longer only used by cyber espionage groups, but also to distribute ransomware.
Microsoft has confirmed that a first such specimen, dubbed “DearCry”, has infiltrated corporate networks through unpatched Exchange servers. The good news, if we can say so, is that Microsoft Defender is already able to detect and block this new threat.
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom: Win32 / DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel
– Phillip Misner (@phillip_misner) March 12, 2021
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom: Win32 / DoejoCrypt.A, and also as DearCry.
– Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
The arrival of the first ransomware was only a matter of time. When vulnerabilities as large as Microsoft Exchange are patched, hackers flock to the update to analyze it and reverse-engineer malicious code as quickly as possible, so they can target systems that have failed. not yet updated.
In fact, even security researchers have started to publish detailed technical analyzes, such as the Praetorian company.
Controversy over a proof of concept
Last Wednesday, a Vietnamese security researcher also posted on GitHub a first experimental code that exploits Exchange flaws, which Microsoft did not like at all.
The publisher obtained the removal of this code, which sparked a lively controversy within the community of security researchers. They are used to openly exchanging exploits when a patch is available.
“It’s huge, removing a security researcher’s code from GitHub (…) for a system that has already been patched. It’s not good “, considers the hacker Dave kennedy, on Twitter.
But Microsoft felt that the risk was still too great, given the number of vulnerable servers. Palo Alto Networks estimates that there are still more than 125,000 vulnerable systems in the world.
In these conditions, “Disseminating out-of-the-box remote control code is not security research, it is irresponsible and stupid”, believes the security researcher Marcus Hutchins, aka MalwareTech.
Regardless, this discussion will not stop the thugs. Administrators have an interest in plugging their Exchange servers as quickly as possible.
Source : Bleeping Computer