Exchange servers compromised for the first time by Chinese hackers affected by ransomware

Now, organizations using Microsoft Exchange have a new security headache: never-before-seen ransomware installed on thousands of servers already infected by state-sponsored hackers in China.

Microsoft reported the new ransomware deployment family Thursday night, claiming it was being deployed after the initial server compromise. Microsoft’s name for the new family is Ransom: Win32 / DoejoCrypt.A. The most common name is DearCry.

Riding Hafnium

Kryptos Logic security cabinet mentionned On Friday afternoon, it detected Exchange servers compromised by Hafnium which were subsequently infected with ransomware. Kryptos Logic security researcher Marcus Hutchins told Ars the ransomware was DearCry.

“We have just discovered 6,970 exposed webshells that are publicly exposed and have been placed by actors exploiting the Exchange vulnerability,” Kryptos Logic said. “These shells are used to deploy ransomware.” Webshells are backdoors that allow attackers to use a browser-based interface to execute commands and execute malicious code on infected servers.

Hutchins that the attacks are “man-made”, which means that a hacker manually installs ransomware on one Exchange server at a time. Anyone who knows the URL of one of these public webshells can gain complete control over the compromised server. The hackers responsible for the infections use these shells to deploy the ransomware. The webshells were originally installed by Hafnium, the name Microsoft gave to a state-sponsored threat actor operating outside of China. Not all of the nearly 7,000 servers were affected by DearCry.

“Basically, we are starting to see criminal actors using shells left by Hafnium to gain a foothold in the networks,” Hutchins explained.

Hafnium is one of at least nine APTs – short for Advanced Persistent Threat Groups – that exploited Exchange vulnerabilities known as ProxyLogon, which Microsoft patched on March 2. Most or maybe all of these APTs have ties to China, researchers said. Researchers also said that up to 100,000 servers have been exploited since January, when the attacks likely started.

The deployment of ransomware, which security experts have declared inevitable, underscores a key aspect of the ongoing response to secure servers operated by ProxyLogon. It is not enough to simply install the fixes. Without removing the webshells left behind, the servers remain open to intrusion, either by the hackers who originally installed the backdoors or by other hackers who figure out how to access them.

Little is known about DearCry. Sophos security company mentionned that it is based on a public key encryption system, with the public key embedded in the file that installs the ransomware. This allows files to be encrypted without the need to first connect to a command and control server. To decrypt the data, the victims must obtain the private key which is known only to the attackers.

Mark Gillespie, a security expert who runs a service that helps researchers identify strains of malware, was among the first to find DearCry. Thursday it reported As of Tuesday, it began receiving requests from Exchange servers in the United States, Canada and Australia for malware with the string “DEARCRY”.

He later found someone posting on a user forum on Bleeping Computer saying the ransomware was being installed on servers that were first exploited by Hafnium. Bleeping Computer quickly confirmed the intuition.

John Hultquist, vice president of security firm Mandiant, said supporting hackers who installed webshells may be a faster and more efficient way to deploy malware to unpatched servers than to exploit vulnerabilities. of ProxyLogon. And as already mentioned, even if the servers are patched, ransomware operators can still compromise machines when webshells have not been removed.

“We anticipate further exploitation of exchange vulnerabilities by ransomware players in the near term,” Hultquist wrote in an email. “Although many as yet unpatched organizations have been exploited by cyber espionage actors, criminal ransomware operations may pose a higher risk as they disrupt organizations and even extort victims by distributing stolen emails.”

Updated message to remove “7000” from title and to clarify that not all of them have been infected with ransomware.