Update on ProxyLogon Attacks
This second wave of attacks on Microsoft Exchange email servers, which exploit the ProxyLogon vulnerabilities, began in February. However, these attacks have reportedly increased tenfold in the last week or so with at least 10 hacking groups involved in the exploits. Cybersecurity firm Check Point Research (CPR) reported that the number of attacks increased from 700 on 11 March to over 7,200 on 15 March. CPR’s report also states that the most targeted country is the US with 17% of all exploit attempts. The US is followed by Germany with 6%, the UK and the Netherlands both with 5%, and Russia with 4%. The most targeted industry is government and the military (23%), followed by manufacturing (15%), banking and financial services (14%), software vendors (7%), and healthcare (6%). Others report that cybercriminals are taking advantage of companies’ slowness in applying patches, with attack rates doubling every few hours. It’s as if cybercriminals are racing to attack as many companies as possible before all Microsoft Exchange servers are patched.
Number of Servers Still Vulnerable
Although the number of vulnerable Exchange servers has fallen, there are still many servers around the world that need patching. According to a Microsoft blog post, on 1 March there were some 400,000 vulnerable Exchange servers. This number went down to just over 100,000 servers by 9 March. As of 12 March, Microsoft estimated that there are still some 80,000 servers that remain unpatched worldwide. A large number of these unpatched servers are older out-of-support Microsoft Exchange servers that cannot apply Microsoft’s original security updates. Consequently, Microsoft has since released ProxyLogon security patches for older Exchange servers. So far it has released updates for Exchange Servers 2013, 2016 and 2019, which Microsoft would normally no longer patch.
Ransomware Variant Leveraging Vulnerabilities
The ProxyLogon attacks are being used to drop cryptominers, webshells, and most recently ransomware, on compromised Microsoft Exchange servers. The new strain of ransomware, known as DearCry, exploits unpatched servers for propagation purposes. Last Friday Microsoft Security Program Manager, Phillip Misner, tweeted “Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A [aka DearCry]. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.” Microsoft Security Intelligence later announced via Twitter that users with Microsoft Defender activated on their systems were protected against DearCry. If users are setup to receive automatic Defender updates, they will be protected without having to take any actions. Reportedly, victims of DearCry are unlikely to be able recover encrypted files for free.