Cyber criminals are already taking advantage of serious vulnerabilities in Microsoft Exchange Server, and affected systems are in no way provided with the necessary updates that filled the vulnerabilities. Now, however, vulnerable Exchange servers have also become a target for ransomware that infects systems through vulnerabilities. Microsoft has since confirmed the corresponding report from Computer.
Encrypted files and ransom note
On March 3, Microsoft released unscheduled security updates for Exchange Server that closed four critical vulnerabilities. At this time there have already been attacks that have collected and exploited these vulnerabilities (zeroday), known as “ProxyLogon”; The attackers gain complete control of the system. On March 9, a website that examined ransomware samples received samples of a new variant of ransomware for the first time, and nearly all of them came from Exchange servers. mentioned Computer.
Also in a forum Computer A user describes how the Exchange server he manages has been hacked via “ProxyLogon” and is now infected with a malware called “DearCry”. Ransomware encrypts some or all of the files on an infected system and requires users to pay a ransom to obtain the decryption key. Since the first “ProxyLogon” vulnerabilities were already prevalent, it was feared that ransomware attacks on Exchange would soon follow. This extortion malware is one of the most profitable forms of cybercrime; Clients are often willing to pay the required amount (but it is not certain whether they will then receive the promised key).
Microsoft confirms a new variant of ransomware
Microsoft security specialist Philip Messner confirmed shortly after on Twitter that a new ransomware – dubbed “DoejoCrypt” – had been discovered on the Exchange systems. The attacks were carried out by humans and the ProxyLogon vulnerabilities were used.
Computer I also learned from a McAfee employee that their surveillance team has already detected such attacks in the United States, Luxembourg, Indonesia, India, Ireland and Germany. BSI’s CERT-Bund IT emergency team is also reporting on Twitter that there are initial indications of ransomware attacks on Exchange.
Attacks on security vulnerabilities in Exchange Server pose a major threat to IT security around the world. In Germany alone, the British Standards Institute sees tens of thousands of systems affected and has already declared “the IT threat situation in red”. Administrators must act immediately, install updates and scan their systems for attacks; Microsoft provides a PowerShell script for this, among other things.