AL2021_06 Hackers targeting Microsoft Exchange Servers with Ransomware (12th March 2021)

Description

Over the past two weeks, vulnerabilities would have been found affecting Microsoft Exchange Servers. Vulnerabilities that hackers are now targeting to carry out ransomware attacks.

Summary

Days after the U.S Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and cyber researchers warned everyone about the possible outcome of the potential threat, Microsoft Exchange email server vulnerabilities with ransomware attacks was exploited by hackers.

Microsoft researcher Phillip Misner tweeted “Microsoft observed a new family of human operated ransomware attack customers detected as Ransom:Win32/DoejoCrypt.A”. “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers”

How does the attack work?

The first step is gaining access to an Exchange server either with stolen credentials or by using the previously undiscovered vulnerabilities which offers the privilege of disguising itself as someone who should have access. Subsequently after, it would create a web shell to control the compromised server remotely and finally it would use the remote access, ran from the U.S based private servers to steal data from an organization’s network.

Solutions

It is recommended that users update the Microsoft Exchange server to address these vulnerabilities.

For further information on how to install updates for the Microsoft Exchange server kindly follow the below URL:

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

For further information on these vulnerabilities kindly follow the below URL:

https://thehackernews.com/2021/03/icrosoft-exchange-ransomware.html

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

Reference