DearCry: Exchange Server Vulnerability Exploitation With A Side Of Ransomware
A couple of weeks ago, Microsoft released details of critical 0-day vulnerabilities in on-premises deployments of Microsoft Exchange Server, which were being actively exploited in limited and targeted attacks.
These initial attacks were attributed to a Chinese based; state sponsored group known as HAFNIUM. Further investigation suggested potentially tens of thousands of victims. According to Microsoft, these targeted attacks enabled access to email accounts hosted by the server and allowed for the installation of malware (including ransomware.) Microsoft urged customers to quickly patch affected systems.
What Is It?
As is usually the case, the technical details of the vulnerabilities and how to exploit them were not publicly released. However, once vulnerabilities are publicly announced and patches made available, both security researchers and attackers compare the vulnerable Exchange Server files with the patched versions and reverse engineer specific ways to exploit the vulnerabilities. This occurs with any high severity vulnerability, however, given the product impacted in this case and the attack surface this provides, the time between when patches are released, and the rush to exploit the vulnerabilities occurs is shortened significantly. This is a primary reason why prompt patching is always imperative.
For some insight into the potential scope of exploitation, despite the fact Microsoft initially referred to limited and targeted attacks, cyber intelligence group Shadowserver have stated that up to 68,500 servers may have been compromised prior to the patches being released. Approximately a week later, Shadowserver found over 64,000 distinct IP addresses were still vulnerable. One of Shadowserver’s partner organizations found approximately 20% of the 250,000 servers they scanned were still vulnerable.
Statistics like that would likely make attackers salivate at thought of the profit from the smorgasbord of potential victims to choose from. Therefore, it’s no surprise that ransomware operators are making use of the vulnerable systems to deploy ransomware.
One novel piece of ransomware observed using this attack vector is called DEARCRY, also known as DoejoCrypt. Insight from McAfee Cyber Investigations shows DEARCRY victims in Germany, Luxembourg, Indonesia, India, Ireland and the US. The ransomware adds DEARCRY! to the beginning of each encrypted file and uses genuine cryptography, making decryption impossible without payment of the ransom. It also adds .CRYPT to the end of all encrypted files. The attackers provide victims two emails to contact them, with one victim known to have been told to pay a $16,000 ransom.
Once again, attackers have shown a motivation and capability to very quickly make use of new high-profile vulnerabilities to install malware, including ransomware. Vulnerabilities such as these allow ransomware operators to easily and directly install ransomware, without the need for the usually reliable social engineering methods they tend to rely on.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The initial attack vector, exploitation of the Microsoft Exchange Server ProxyLogon vulnerability, is discussed in detail above.
When/How Did BluVector Detect It?
Four samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have all been detected 7 months prior to their release.