Exchange Server: Attackers use vulnerabilities for ransomware “DearCry”


Cyber ​​criminals are already exploiting the serious weaknesses in Microsoft Exchange Server, and the affected systems are by no means all provided with the necessary updates in which the gaps have been closed. Now, however, vulnerable Exchange servers are also becoming the target of ransomware, which penetrates the systems through the gaps. Microsoft has since confirmed the corresponding report from BleepingComputer.

On March 3, Microsoft released unscheduled security updates for Exchange Server that closed four critical vulnerabilities. At this point in time there were already attacks that combined and exploited these vulnerabilities (zeroday), known as “ProxyLogon”; Attackers gain full control over a system. On March 9, a website examining ransomware samples received samples of a new variant of ransomware for the first time, almost all of which came from Exchange servers. reported BleepingComputer.

Also in the forum of BleepingComputer one user describes how an Exchange server administered by him was compromised via “ProxyLogon” and is now infected with malware called “DearCry”. Ransomware cryptographically encrypts certain or all files on an infected system and prompts users to pay a ransom in order to obtain a decryption key. Because the first exploits of the “ProxyLogon” vulnerabilities were already circulating, it was feared that ransomware attacks on Exchange would soon follow. This blackmail malware is one of the most lucrative forms of cybercrime; customers are often willing to pay the required amount (but it is not certain whether they will then receive the promised key).

Microsoft’s security specialist Phillip Misner confirmed shortly after on Twitter that a new ransomware – which he called “DoejoCrypt” – had been spotted on Exchange systems. The attacks were carried out by humans and used the ProxyLogon vulnerabilities.

BleepingComputer I also learned from a McAfee employee that their monitoring team had already discovered such attacks in the USA, Luxembourg, Indonesia, India, Ireland and Germany. The BSI’s CERT-Bund IT emergency team also mentions on Twitter that there are initial indications of ransomware attacks on Exchange.

The attacks on vulnerabilities in Exchange Server are a significant threat to IT security worldwide. The BSI sees tens of thousands of systems affected in Germany alone and has already declared the “IT threat situation red”. Administrators should act immediately, install the updates and examine their systems for attacks; Microsoft provides a PowerShell script for this purpose, among other things.

#heiseshow: “IT threat situation red” – What the Exchange hack is all about


To home page