Microsoft’s struggle to keep its products and customers secure continues now as it has admitted the DearCry ransomware attack on Microsoft Exchange servers. Cyberattackers are deploying DearCry ransomware on the user’s systems after they hack into on-premise Microsoft Exchange servers that are unpatched.
According to Microsoft Security’s Program Manager Phillip Misner, the company has discovered a new family of human-operated ransomware attack on customers.
This comes almost three weeks after Microsoft carried out an internal investigation. It had named a China-based state sponsors hackers’ group Hafnium behind the attack on its mail server software system. During the probe, it discovered some due to undetected zero-day vulnerabilities in Microsoft Exchange that was exploited by the hackers’ group Hafnium.
“Microsoft observed a new family of a human-operated ransomware attack on customers. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.” Microsoft Security Program Manager Phillip Misner tweeted on Thursday night.
Before Misner’s tweet, some media reported that attackers are taking advantage of new zero-day ProxyLogin vulnerabilities in Microsoft Exchange servers. These vulnerabilities are being used to install the DearCry ransomware.
Misner’s tweet came less than two hours after BleepingComputer reported that threat actors were taking advantage of new zero-day ProxyLogin vulnerabilities in Microsoft Exchange servers to install the DearCry ransomware.
DearCry ransomware is on the lines of WannaCry ransomware, according to security experts that have studied its behaviour.
“From an encryption-behaviour view, DearCry is what Sophos ransomware experts call a ‘Copy’ ransomware,” said Mark Loman, a ransomware expert and Director – Engineering Technology Office, Sophos.
“It creates encrypted copies of the attacked files and deletes the originals. This causes encrypted files to be stored in different logical sectors. Allowing victims to potentially recover some data– depending on when Windows reuses the freed logical sectors,” explained Loman.
“More notorious human-operated ransomware like Ryuk, REvil, BitPaymer, Maze and Clop, are ‘In-Place’ ransomware. Such an attack causes the encrypted file to be stored logically the same sectors, making recovery via undelete tools impossible,” added Loman.
Given this critical security scenario, Microsoft Security Intelligence informed that Microsoft Defender customers with automatic updates are now being protected against this new ransomware.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as … DearCry ,” Microsoft Security Intelligence tweeted on Thursday.
What’s more concerning for many of the on-premise Microsoft Exchange customers is that they are unable to run security update or patch their mail exchange systems. Despite the security update released by Microsoft, there are around 80,000 older servers that are unable to directly apply that security update, BleepingComputer reported.
With many of the Microsoft Exchange customers unable apply security patch those vulnerabilities still exists for ransomware groups to exploit further.
“Though many of the still unpatched organisations may have been exploited by cyber espionage actors. Criminal ransomware operations may pose a greater risk as they disrupt organisations and even extort victims by releasing stolen emails,” said John Hultquist, VP – Analysis, Mandiant Threat Intelligence – a part of FireEye.
“Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted,” added Hultquist.
According to ESET Research at least 10 different advance hacking groups are taking advantage of the zero-day vulnerabilities. It has found LuckyMouse, Tick, Winnti Group, and Calypso, among others, are likely using the recent Microsoft Exchange vulnerabilities to compromise email servers all around the world.
Many of the hacker groups not only having access but even details of these vulnerabilities, making it hard for Microsoft. Reverse engineering or manipulating security update before Microsoft release it possibly remains.
Microsoft Exchange as a software product has been around for the past 24 years and it was first released on April 11, 1996, and to date, it has 10 major releases.