Security News > 2022 > June > Microsoft: Exchange servers hacked to deploy BlackCat ransomware
Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities.
Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.
While Microsoft did not name the ransomware affiliate who deployed BlackCat ransomware in this case study, the company says several cybercrime groups are now affiliates of this Ransomware as a Service operation and are actively using it in attacks.
BlackCat ransomware is also being deployed by an affiliate group tracked as DEV-0504 that typically exfiltrates stolen data using Stealbit, a malicious tool the LockBit gang provides its affiliates as part of its RaaS program.
To defend against BlackCat ransomware attacks, Microsoft advises organizations to review their identity posture, monitor external access to their networks, and update all vulnerable Exchange servers in their environment as soon as possible.
In April, the FBI warned in a flash alert that the BlackCat ransomware had been used to encrypt the networks of at least 60 organizations worldwide between November 2021 and March 2022.
News URL
Related news
- Microsoft: Outdated Exchange servers fail to auto-mitigate security bugs (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes Office 365 apps crashing on Windows Server systems (source)
- Microsoft fixes Windows Server 2022 bug breaking device boot (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in October (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Microsoft issues out-of-band fix for Windows Server 2022 NUMA glitch (source)
- One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers (source)
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)