March 24, 2021

Thousands of Exchange stable doors still unbolted, presence of horses uncertain

By Robert Scammell

Microsoft has warned that 32,000 firms have not patched against the Exchange Servers zero-day vulnerabilities exploited by Chinese-state linked cyberspies and a growing list of cybercrime gangs. However, the 92% that have patched or mitigated against the security weaknesses could still be breached.

On 2 March Microsoft published security fixes to four vulnerabilities, collectively known as ProxyLogon, that gave threat actors a way onto the tech giant’s mail server and calendar product.

Around 400,000 Exchange Servers were vulnerable to cyberattackers stealing sensitive data or installing malicious software such as ransomware. That number has been rapidly declining in recent weeks, falling to 100,000 on 9 March as organisations installed the crucial updates.

The tech giant’s security response team said on Monday that it marked a 43% improvement on the previous week.

However, it means that as of Monday there were still 32,000 on-prem Exchange Servers unpatched and vulnerable to attack.

Crucially, patching does not prevent the exploitation of servers that have already been compromised. Microsoft has urged organisations running on-prem Exchange Servers to scan their networks for malicious activity in addition to patching.

Security researchers warned that cybercrime groups are scanning internet-facing Exchange servers, compromising those that are unpatched now and deciding later which servers warrant post-compromise activity.

It means that while 92% of Exchange Servers are patched, an unknown number of these could fall victim to cyberattacks in the coming months.

According to Slovak internet security firm ESET more than 10 advanced persistent threat groups (APTs) have taken advantage of the Exchange exploits.

These cybercriminal groups include LuckyMouse, Calypso and the Winnti Group.

This week Marcus Hutchins, the security researcher who found the kill switch for the 2017 WannaCry ransomware attack, said he had uncovered a second ransomware operation exploiting vulnerable Exchange Servers called Black Kingdom.

Fortunately the malicious script, described by Hutchins as “by far the worst I’ve ever seen”, does not appear to encrypt files and has switched from “actual ransomware to scareware”.

The associated bitcoin account had only received one payment in three days, Hutchins added.

However, Microsoft threat intelligence analyst Kevin Beaumont said on Tuesday that Black Kingdom “does indeed encrypt files”.

It is unclear why there appears to be two versions of the ransomware.

The first reported ransomware exploiting Exchange Servers was DearCry.

Microsoft also announced this week that it had rolled out automatic mitigation for on-premises Exchange Servers via Microsoft Defender. Microsoft has published a script that can be used to scan for signs of such intrusions.

Last week hacking gang REvil compromised Acer with ransomware, demanding a $50m payment to decrypt the computer giant’s files. The compromised documents include financial spreadsheets, bank balances and banking communications.

The cybercriminals may have used Microsoft Exchange Server vulnerabilities to carry out the attack, but this has not been confirmed.

Read more: White House pledges to name nation behind Chinese nation-state cyberattack