Security News

Threat actors are now installing a new ransomware called 'DEARCRY' after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities. Since Microsoft revealed earlier this month that threat actors were compromising Microsoft Exchange servers using new zero-day ProxyLogon vulnerabilities, a significant concern has been when threat actors would use it to deploy ransomware.

On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers. The bug, referred to as ProxyLogon, was one of four Microsoft Exchange zero-days that Microsoft patched in an out-of-band release on March 3, 2021.

Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat groups, all bent on compromising email servers around the world. Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server.

CISA officials said that, so far, there is no evidence of US federal civilian agencies compromised during ongoing attacks targeting Microsoft Exchange servers. "At this point in time, there are no federal civilian agencies that are confirmed to be compromised by this campaign," Eric Goldstein, CISA executive assistant director for cybersecurity, said in a testimony before the Homeland Security Subcommittee.

At least 10 threat actors are currently involved in the targeting of Microsoft Exchange servers that are affected by recently disclosed zero-day vulnerabilities, according to cybersecurity firm ESET. On March 2, Microsoft announced patches for four bugs that were part of a pre-authentication remote code execution attack chain already being exploited in the wild. Now, ESET reveals that at least 10 threat actors are actively engaged in such attacks, including Tick, LuckyMouse, Calypso, Websiic, Winnti Group, Tonto Team, ShadowPad, Mikroceen, and DLTMiner.

The exploit at a democratic institution such as Stortinget is certainly ominous, perhaps more so than the woes in recent days of organisations such as the European Banking Authority. Stortinget president Tone Wilhelmsen Trøen said: "The attack we are facing shows that IT attacks can have serious consequences for democratic processes at worst."

Commentary: Enterprises try their best to secure their data, but running on-premises mail servers arguably doesn't do this. We can have a debate about how soon enterprises should embrace cloud.

Criminals have been targeting organizations that run Exchange hoping to breach ones that haven't patched the latest bugs, says ESET. Four critical zero-day vulnerabilities in Microsoft Exchange have paved the way for attackers to take over accessible Exchange servers even without knowing the credentials. The four Exchange vulnerabilities in question were first uncovered by vulnerability researcher Orange Tsai, who reported them to Microsoft on Jan. 5, according to ESET. But security firm Volexity, which also alerted Microsoft, claims the exploitation of these flaws started on Jan. 3.

Norway's parliament, the Storting, has suffered another cyberattack after threat actors stole data using the recently disclosed Microsoft Exchange vulnerabilities. Last week, Microsoft released emergency security updates for Microsoft Exchange to fix zero-day vulnerabilities, known as ProxyLogon, used in attacks.

More state-sponsored hacking groups have joined the ongoing attacks targeting tens of thousands of on-premises Exchange servers impacted by severe vulnerabilities tracked as ProxyLogon. Exchange servers attacked by multiple hacking groups.