Microsoft Exchange Server hacks ‘doubling’ every two hours

A ransomware variant is now also leveraging the critical vulnerabilities.


By Charlie Osborne for Zero Day | March 12, 2021 -- 08:35Topic: Security


Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.

Search

 MUST READ: Next for Windows 10: What to expect from the version 21H1 feature update

Microsoft Exchange Server hacks ‘doubling’ every two hours

A ransomware variant is now also leveraging the critical vulnerabilities.

Charlie Osborne

By Charlie Osborne for Zero Day | March 12, 2021 -- 08:35 GMT (00:35 PST) | Topic: Security

Cyberattackers are taking full advantage of slow patch or mitigation processes on Microsoft Exchange Server with attack rates doubling every few hours.  

SECURITY

Everything you need to know about the Microsoft Exchange Server hack

Cyber security 101: Protect your privacy from hackers, spies, and the government

The best antivirus software and apps

The best VPNs for business and home use

The best security keys for two-factor authentication

Why some governments are getting cyber crime gangs to do their hacking for them (ZDNet YouTube)

According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 -- and attack attempts continue to rise. 

In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours."

The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively. 

Government, military, manufacturing, and then financial services are currently the most targeted industries. 

screenshot-2021-03-12-at-08-12-25.png

Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.

The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

This week, ESET revealed at least 10 APT groups have been linked to current Microsoft Exchange Server exploit attempts. 

On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the "initial compromise of unpatched on-premises Exchange Servers" ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak. 

"Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges," commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. "Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets."

According to Check Point Research (CPR), threat actors are actively exploiting four zero-day vulnerabilities tackled with emergency fixes issued by Microsoft on March 2 -- and attack attempts continue to rise.

In the past 24 hours, the team has observed "exploitation attempts on organizations doubling every two to three hours."

The countries feeling the brunt of attack attempts are Turkey, the United States, and Italy, accounting for 19%, 18%, and 10% of all tracked exploit attempts, respectively.

Government, military, manufacturing, and then financial services are currently the most targeted industries.

Palo Alto estimates that at least 125,000 servers remain unpatched worldwide.

The critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) impact Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

With an IBM Cloud Lite account, try 40+ services FREE, including Watson APIs, DevOps tools and more. No credit card required. No time limits.
White Papers provided by IBM

Microsoft issued emergency, out-of-band patches to tackle the security flaws -- which can be exploited for data theft and server compromise -- and has previously attributed active exploit to Chinese advanced persistent threat (APT) group Hafnium.

This week, ESET revealed at least 10 APT groups have been linked to current Microsoft Exchange Server exploit attempts.

On March 12, Microsoft said that a form of ransomware, known as DearCry, is now utilizing the server vulnerabilities in attacks. The tech giant says that after the "initial compromise of unpatched on-premises Exchange Servers" ransomware is deployed on vulnerable systems, a situation reminiscent of the 2017 WannaCry outbreak.

"Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges," commented Lotem Finkelsteen, Manager of Threat Intelligence at Check Point. "Organizations who are at risk should not only take preventive actions on their Exchange, but also scan their networks for live threats and assess all assets."

PREVIOUS AND RELATED COVERAGE
Everything you need to know about the Microsoft Exchange Server hack