DearCry Ransomware Targets Unpatched Exchange ServersOn-Premises Exchange Servers May Have Been Hacked Since January, Experts Warn
Ransomware-wielding attackers have begun to exploit a serious proxy-logon flaw in unpatched versions of Microsoft Exchange running on premises, Microsoft reports. Hackers have exploited the flaw to access vulnerable servers, crypto-lock files and demand a ransom from victims in return for the promise of a decryption tool.
See Also: Threat Briefing: Ransomware
News of the attack campaign follows Microsoft on March 2 issuing emergency patches to fix four zero-day flaws in Microsoft Exchange, which is one of the most widely used pieces of IT infrastructure in the world.
"Because we are aware of active exploits of related vulnerabilities in the wild," Microsoft said in its March 2021 Exchange Server Security Updates alert, which it continues to update, "our recommendation is to install these updates immediately to protect against these attacks."
In the wake of that warning, IT and incident response teams have been scrambling not just to get the patches installed, but to verify that the flaws were not used against them before the patches came to light. The U.S. Cybersecurity and Infrastructure Security Agency also issued an emergency directive ordering agencies to immediately investigate whether they had been compromised.
When Microsoft first began releasing security updates last week, it warned that a Chinese APT group called Hafnium, which it had never previously described, appeared to have been exploiting the flaws in recent months. But security firm ESET on Wednesday reported that on Jan. 3, at least three APT groups had begun to exploit the flaws before they were reported to Microsoft by a security researcher on Jan. 5. On Wednesday, ESET said it now believes at least 10 APT groups have been exploiting the flaws.
Security researchers have been warning all organizations using on-premises Exchange that until they patch the four zero-day flaws, they remain at serious risk of attacks from nation-states, criminals or others.
Such warnings gained extra impetus Wednesday, when independent security researcher Nguyen Jang posted to GitHub a proof-of-concept attack tool that chained together two of the four flaws to exploit Exchange servers. His attack tool was later removed from GitHub, which is owned by Microsoft.
Ransomware-Wielding Attackers Spotted
On Friday, Phillip Misner, a security manager at Microsoft, warned that a previously unseen group has been hitting unpatched Exchange servers with ransomware that's been dubbed DearCry, aka DoejoCrypt.
That followed Bleeping Computer first warning of the DearCry attacks on Thursday, after a victim of the attacks posted to Bleeping Computer's forum that their Exchange server had been exploited via the proxy-logon flaw, and DearCry ransomware dropped.
#Exchange Servers Possibly Hit With #Ransomware— Michael Gillespie (@demonslay335) March 11, 2021
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look. pic.twitter.com/wPCu2v6kVl
On Thursday, Michael Gillespie (@demonslay335), a security researcher at Emsisoft who created and runs the free ID Ransomware service, said that on Tuesday, users of his site began to submit samples of the ransomware for identification. He initially worried that there had been a "swarm" of attacks, but he later revised that assessment to say that so far, only six systems were known to have been infected.
Multiple security researchers, including James Quinn, a malware researcher at Binary Defense, have noted that DearCry "disables the service msupdate'" before commencing encryption, although it's not clear why. Researchers say encrypted files have a 'DEARCRY!' header added inside the file, and the extension ".CRYPT" appended to their filename.
Bleeping Computer reports that one victim of the DearCry campaign received a $16,000 ransom demand.
After Misner warned that Microsoft had been seeing DearCry-dropping attackers exploiting Exchange flaws, he confirmed that it was the same campaign that Gillespie had spotted.
Misner said the DearCry attackers have been exploiting the now-patched proxy-logon Exchange flaw - CVE-2021-26855 - patched last week by Microsoft. The other three flaws that have also been patched by Microsoft are CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
'We Aren't Surprised'
In other words, attackers seeking illicit profits have now begun to target organizations that have yet to patch Exchange.
“We aren’t surprised by this development," Matt Lock, technical director at security firm Varonis, tells Information Security Media Group. "The Exchange proxy-logon vulnerability has been used by hacker groups in the wild for about two months, and we know ransomware is a quick way to make some money from these."
It's also likely that attackers have been exfiltrating data. "We also have to assume that data is being taken, and the payloads being dropped will have instructions about how and where to send this," he says, so that attack groups can post samples of exfiltrated data to data leak sites to add pressure on victims to pay.
Security experts expect other crime gangs to quickly join the fray. "Though broad exploitation of the Microsoft Exchange vulnerabilities has already begun, many targeted organizations may have more to lose as this capability spreads to the hands of criminal actors who are willing to extort organizations and disrupt systems," says Ben Read, director of analysis at FireEye's Mandiant threat intelligence group.
Human-Operated Ransomware Campaigns
Microsoft says the DearCry ransomware is being used not for low-level, automated attacks, but instead as part of more advanced, human-operated ransomware campaigns. This refers to attacks that typically involve hackers gaining remote access to a victim's network - often by exploiting weak Remote Desktop Protocol or via phishing attacks - and then reconnoitering. Attackers may search for sensitive data and exfiltrate it or attempt to gain administrator-level access to an organization's Active Directory before pushing crypto-locking malware to as many endpoints as possible - as quickly as possible.
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
"This vulnerability allows a threat actor to navigate to getting system-level access, so the ability to laterally move to other machines has also been made easy," says Varonis' Lock.
"You could argue this is the perfect storm: system-level access to data, without requiring internal access, without knowing any credentials and without the need for any phishing activity," he says. "You’d be mad not to assume you’ve been breached, if you have an on-premises Exchange server.”
APT Attacks Began in January
As noted, Microsoft on March 2 issued its emergency patches for the four zero-day flaws in Exchange.
Microsoft says it first learned of the flaws on Jan. 5 after they were directly reported by security researcher Cheng-Da Tsai - also known as Orange Tsai (@orange_8361) - who works for the Taipei City, Taiwan-based consultancy Devcore.
The patch release of this BIG ONE is coming soon, and a short advisory is also standing by! (BTW, no one guess the right target in comments) https://t.co/EX1XgBxlkW— Orange Tsai (@orange_8361) March 2, 2021
As organizations scramble to patch on-premises Exchange, security experts say they must assume they have been hacked - potentially beginning in early January, if not before - until they can prove otherwise.
"Any organization running an on-premises Exchange server should assume that they are compromised," says Mandiant's Read.
That goes even for organizations that have already applied patches, experts say, because known attacks began before patches were issued.
For any organizations using Microsoft Exchange on premises that recently applied patches, Kevin Beaumont, a security researcher at Microsoft, says he "strongly recommends" they run a free tool, released by Microsoft, to help locate and delete any web shells - aka stealthy software providing remote access - that attackers may have dropped, and "which can persist even after patching."
If you use Microsoft Exchange on premises and recently patched— Kevin Beaumont (@GossiTheDog) March 12, 2021
I strongly recommend you run the following free tool on each server to find and remove planted webshells (backdoor access) which can persist even after patching. https://t.co/eBvBYvb4Lo
Experts say they expect to see many more organizations exploited, beyond what may already be thousands that have been hacked. "We have seen entities around the world impacted, and this includes some in the United Kingdom," Read says. "While we have not observed a focus on any specific sectors from this activity, our assessment is that the attackers are engaged in mass scanning and deployment, and this effort could allow them to select targets of the greatest intelligence value."