Exchange Week 2 – Ransomware Joins The Fray
This post was last updated on July 4th, 2021 at 08:08 am
Following exposure and publication of a major remote execution vulnerability like Exchange’s ProxyLogon (CVE-2021-26855), we expect other threat actors to join the race against system administrators trying to patch their systems.
Initial reporting showed the threat actor dubbed HAFNIUM were quietly exploiting these vulnerabilities since at least January 2021. Following the release of patches and responsible disclosure by Volexity that followed, it was reported that up to 10 threat actors had begun actively attacking unpatched servers across the world.
Today we have confirmation that a NEW Ransomware variant was unleashed utilizing the Exchange ProxyLogon exploit.
The earliest report of this malware appears to be from 9 March in the BleepingComputer forum where the MalwareHunterTeam confirmed it’s novelty and relatively limited early distribution thus far.
Most Important: Patch your exposed Microsoft Exchange servers.
Regardless of when you patched, you need to assume you were compromised. The threat actors threw internet-wide scans across the world exploiting exchange servers enmass following disclosure last week. Some of these left silent backdoors waiting to be exploited following the application of patches – we should assume some of these will be used to deliver ransomware in the future.
Post exploit detection can be done effectively using Infocyte’s WebShell and Hafnium scanner which consolidates all-source threat intelligence and recommendations from Microsoft. Combined with our much more sophisticated rootkit and implant detection capabilities, it is the most comprehensive threat hunt you can perform on your exchange servers and surrounding systems.
Sign up today for a free guided assessment of your systems — our team is available to assist anyone going through an exchange-related breach.