Tech

Ransomware Gangs Are Starting to Hack Vulnerable Microsoft Exchange Servers

After Chinese government hackers took the lead, cybercriminals are stepping in to try to monetize unpatched Exchange email servers: “This is poised to be pretty bad,” a Microsoft researcher said.
Hacked Servers
IMAGE: CATHRYN VIRGINIA/VICE
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

The already disastrous hacks of Microsoft Exchange servers, used by thousands of companies all over the world to manage their emails, just got worse.

On Thursday night, Microsoft reported that it had detected a new type of ransomware targeting Exchange servers. According to Philip Misner, Microsoft's security program manager, the ransomware is called DoejoCrypt or DearCry. The ransomware gang is abusing the vulnerabilities that Chinese government hackers and other state-sponsored groups have been abusing for weeks, as Microsoft revealed at the beginning of March. According to news reports, the Chinese government hackers, who were the first to exploit the vulnerabilities, have broken into more than 30,000 companies in the US, and hundreds of thousands all over the world. 

Advertisement

“This is poised to be pretty bad"

Now, cybercriminals are piling on and trying to take advantage of the same vulnerabilities to make some cash. 

"In my opinion, this is poised to be pretty bad," said a Microsoft security researcher, who asked to remain anonymous because they were not authorized to speak to the press. The researcher said they think hackers are still in a preliminary phase where they are sorting what organizations they have hacked into before they decide who to try to monetize. 

Joe Slowik, a security researcher at DomainTools, told Motherboard in an online chat that while the government-backed hackers were targeting Exchange servers as a first step to hack into even more sensitive parts of an organization, the cybercrime gangs "will seek to execute disruptive effects such as ransomware." 

Do you have information about the breach of Microsoft Exchange servers or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

The good news is that, for now, cybercriminals have to manually target and exploit Exchange servers, and there's no evidence that they can make the ransomware spread in an automated way. 

"Based on all available information it is deployed post compromise via interactive operations and not automatically," Slowik said. "This makes it significantly different from a self-propagating ransomware variant like WannaCry."

Advertisement

According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, even cybercriminals who operate cryptocurrency miners on hacked computers are targeting vulnerable Exchange servers. This shows that even relatively unsophisticated hackers, like those who run cryptocurrency miners, are jumping onto the Exchange servers hacking frenzy.  

For Brett Callow, a security researcher at Emsisoft, companies will now face new challenges.

“Patching is easy whereas remediating isn’t. Small businesses may not even know how to work out whether they’ve been compromised, let alone fix any compromise which has already occurred,” Callow said in an online chat.

According to cybersecurity Palo Alto Networks, there are still around 80,000 Exchange servers that are vulnerable.

All these cybercriminals are taking advantage of the same vulnerabilities. Many organizations have yet to patch them, despite the fact that Microsoft published fixes for the vulnerabilities on March 2. 

Microsoft is doing all it can to limit the damage. On Wednesday, an independent security researcher published a proof-of-concept tool to hack Exchange servers on the popular Microsoft-owned open source repository GitHub. The company removed the tool, claiming it violated its Acceptable Use Policies, a move that caused controversy. 

"I am completely speechless here," Dave Kennedy, the founder of cybersecurity consultancy TrustedSec, said on Twitter. "This is huge, removing a security researchers' code from GitHub against their own product and which has already been patched. This is not good." 

Advertisement

For others, however, it was the right thing to do. 

"There's more than 50,000 unpatched exchange servers out there," Marcus Hutchins, a security researcher at Kryptos Logic, responded to Kennedy. "Releasing a full ready to go RCE chain is not security research, it's recklessness and stupid."

Ransomware gangs and run-of-the-mill cybercriminals getting in on the game shows that, perhaps, the genie is now out of the bottle.  

This story was updated to include a quote from Brett Callow and information from Palo Alto Networks.

Subscribe to our cybersecurity podcast CYBER, here.