More and more hackers are targeting unpatched Microsoft Exchange servers and employing new tactics and tools. Yesterday’s report from ESET says at least 10 state-backed hacking groups are now trying to exploit the flaws.
Today, Microsoft alerts that hackers are using a strain of ransomware known as DearCry and urges Exchange customers once again to apply the emergency patches it released last week.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft warned in a tweet.
The malware affects Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. They do not affect Exchange Online.
Microsoft said customers who have Microsoft Defender turned on and an antivirus with automatic updates don’t need to take additional action. They still need to patch their Exchange servers.
In addition, Microsoft released a script on its GitHub that server admins can use to find web shells on Exchange servers.
The attackers were deploying web shells that can steal data and provide attackers persistent access to servers after the initial compromise.
That Microrosoft script is handy for removing the infection from an already compromised system. Microsoft security researcher Kevin Beaumont recommends organizations run the script after patching to double-check that the web shells have been removed.
This measure can’t be underestimated. Independent security researchers reported that attacks took place in Canada, Denmark, United States, Australia, Austria – days after Microsoft issued the patch and warned its Exchange customers of the danger.
The US CISA strongly recommends organizations use the Test-ProxyLogon.ps1 script as soon as possible to help them protect their Exchange servers.