Without a doubt, Microsoft Exchange Server attacks have been one of the biggest cybersecurity stories to break out this year thus far. Four unique zero-day vulnerabilities were left exposed, and cybercriminals did not waste time to exploit them. In addition to the DearCry ransomware family that was revealed in early March of 2021, victims now have to contend with the Black Kingdom, also known as Pydomer, ransomware gang as well. Patches for the zero-day vulnerabilities have been created, and numbers of the unpatched servers have decreased dramatically, from about 80,000 on March 14th to less than 30,000 on March 22nd of 2021, according to Microsoft reports.
According to a tweet from the Microsoft Security Response Center addressing the Exchange Server patches: Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: • 92% of worldwide Exchange IPs are now patched or mitigated. • 43% improvement worldwide in the last week.
— Security Response (@msftsecresponse) March 22, 2021
Additionally, in a March 25th 2021 blog post, Microsoft said that “As of today, we have seen a significant decrease in the number of still-vulnerable servers,” and added that “We continue to work with our customers and partners to mitigate the vulnerabilities.”
Unfortunately, attacks against the still-vulnerable servers haven’t decreased as more malware families and botnets are now attempting to hack them. Early in March 2021, DoejoCrypt, also known as DearCry, was the first ransomware gang to attack Exchange Server vulnerabilities. But in the time since the news broke about the unpatched servers, a new threat has emerged in the form of the Black Kingdom ransomware family.
Researchers tracking the Black Kingdom ransomware have observed mass scanning for unpatched Exchange Servers. The attackers are believed to be targeting publicly exposed vulnerabilities, including unpatched versions of Pulse Safe VPN.
According to Microsoft, Black Kingdom operators “started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available.”
The Black Kingdom web shells were found on around 1,500 systems, but, luckily, ransomware wasn’t installed on any of them. Microsoft believes the group is likely to try to monetize unauthorized access in a different way.
Surprisingly, on systems where the ransomware was installed, the attackers leveraged a “non-encryption extortion technique,” meaning that a ransom note was introduced, but no files were encrypted.
Microsoft warns that if victims find a note, they should take it seriously, as that is evidence that the attackers had complete access to networks and may have exfiltrated data.
The Lemon Duck Cryptocurrency Botnet Joins the Party
In addition to the DearCry and Black Kingdom hacking groups, the Lemon Duck cryptocurrency botnet, which uses a fileless and web shell-less choice of direct PowerShell commands in their attacks, has also joined the Microsoft Exchange Server attack party.
Lemon Duck operators have been observed attacking multiple Exchange Servers, and it seems that, more recently, they have been using the infection more as a malware loader rather than just a cryptominer.
Attacks targeted at unpatched Exchange Servers are unlikely to cease any time soon, and criminal outfits may continue to threaten victimized servers even after patches are installed. In other words, don’t expect the news regarding Microsoft Exchange Server vulnerabilities to dwindle.