Home News After Hafnium, DearCry Ransomware Targets Microsoft Exchange Servers

After Hafnium, DearCry Ransomware Targets Microsoft Exchange Servers

Threat actors are installing new ransomware “DearCry” after compromising Microsoft Exchange servers.

microsoft, flaws in SonicWall SRA SMA

The Microsoft Exchange attacks are taking new twists day by day. In just days, the threat escalated from limited state-sponsored attacks to numerous targeted attacks by multiple hacking groups. The severity of the attacks also escalated from web shells to ransomware. “We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft said.

Microsoft’s security researcher Phillip Misner stated that ransomware operators are now exploiting recently disclosed ProxyLogon vulnerabilities in their attacks. It was found that the threat actors installed new ransomware dubbed “DearCry” after compromising Microsoft Exchange servers.

What Misner says…

Once compromised, the DearCry ransomware creates a Windows service “msupdate” that encrypts the sensitive information. Thousands of Exchange servers are suspected to be vulnerable to DearCry ransomware. Besides, it is believed that hundreds of servers have already been compromised.

Hafnium is Still Active!

Earlier, Microsoft Threat Intelligence Center (MSTIC) identified a state-sponsored threat actor group targeting unpatched vulnerabilities in Microsoft systems. Dubbed as Hafnium, the hacking group is suspected to be operating from China, with leased virtual private servers (VPS) in the U.S. Earlier, the group targeted several entities in the U.S. to exfiltrate sensitive data from multiple industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Patch Now!

Microsoft released fixes to address four Zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) and three other vulnerabilities (CVE-2021-27078, CVE-2021-26854, and CVE-2021-26412) in its Microsoft Exchange servers. The technology giant urged organizations and users to apply the available security patches or temporarily disable external access to Microsoft Exchange as early as possible.

“Our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs,” Microsoft added.