Cybersecurity Researchers Reports that Attacks on Microsoft Exchange Servers are Doubling

Check Point Research (CPR) reported that attacks on the Microsoft Exchange Servers (MSX) are doubling after hacking group Hafnium exposed critical vulnerabilities.

CPR explained that malicious actors are using new strains of ransomware that Microsoft tried to patch MSX after the Hafnium breach using the ProxyLogon vulnerability was discovered. 

CPR said the exploitation attempts on organizations were doubling every two to three hours and targeted Turkish and American firms. 

Microsoft confirmed the reports and identified the variants as DoejoCrypt or DearCry.

Cybersecurity researcher Michael Gillespie reported that DoejoCrypt has been used after the breach and speculated that it was connected.

Gillespie said that several users reported ransomware attacks that were on MSX servers.

ESET reported that there were at least 10 attacks this week which they suspected to be Chinese state-sponsored groups but had shown criminal intent instead of espionage.

Palo Alto reported that at least 125,000 servers remain unpatched worldwide.

Even with the patches, the critical vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) which affects the Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are still being used by malicious groups to compromise servers. 

“Compromised servers could enable an unauthorized attacker to extract your corporate emails and execute malicious code inside your organization with high privileges. Organizations who are at risk should not only take preventive actions on their Exchange but also scan their networks for live threats and assess all assets,” warned Lotem Finkelsteen, Manager of Threat Intelligence at Check Point.

© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.