Mass Microsoft Exchange Exploitation Still Impacting Organizations
Threat actors have a lot of options, including launching ransomware and other attacks.
![Sophisticated hacker Sophisticated hacker](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltbf7943d291366099/65245464b576705223476d0a/3-Malicious-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The UCaaS company is building cryptographic technologies into its platform thanks to its latest purchase.
RingCentral bought an end-to-end encryption provider named Kindite. Not revealing the purchase price, RingCentral says this will help it cut down on security and privacy risks in the cloud.
Edward Gately has the scoop.
Channel Futures: Why are hosts being compromised more than once?
Huntress’ John Hammond: The exploitation vector relies on a webshell being deployed on the machine, so the attackers can access this from anywhere and run arbitrary code or commands. Any single one of these webshells can offer remote code execution. But having multiple [webshells] means the threat actor has confident redundancy. If the good guys clean up just one webshell, the bad guys can still use their backups and maintain their access. Nearly 25% of the incident reports we have sent were for hosts that have been compromised more than once.
Channel Futures: Any reasons behind why Exchange servers remain unpatched?
Huntress’ John Hammond: At Huntress, we’ve seen over 650 SMBs compromised by Exchange. While we have been shouting from the rooftops, kicking and screaming for these servers to be patched, some organizations still have not. In early March, there was a lot of uncertainty and back-and-forth on how to validate or verify these patches have taken effect. Some organizations may have previously tried to patch, and just went on their merry way, unaware that the patch had failed. Some may be running such an outdated or deprecated legacy server [that] it becomes more of a nightmare than expected, or for others it may just be sheer negligence.
Organizations may now see this as a wake-up call to move to the cloud, but this is a painstakingly slow process that does require months of planning. There is no telling why some servers remain unpatched, but truthfully, there is no excuse.
Channel Futures: Have we seen any improvement in terms of organizations protecting themselves and the impact being minimized?
Huntress’ John Hammond: Thankfully, we have seen improvement in organizations patching and protecting themselves, but we aren’t out of the woods yet. In early April, still about 12% of Exchange servers Huntress has visibility on still have not patched. Throughout the month we have certainly seen the number go down, but we aren’t at zero. Organizations do need to take extra precaution. Even if they have patched, if there are still webshells present, bad actors still have access.
Positive Technologies expert Egor Dimitrenko has discovered two vulnerabilities in VMware vRealize Operations (vROps). The solution monitors and optimizes virtual infrastructure performance, and eliminates flaws in it.
The first and most dangerous vulnerability was detected in the vROps API. By exploiting this flaw, any unauthorized attacker can steal administrative credentials and get access to the application with maximum privileges. That allows changing the application configuration and intercepting any data within the app.
The main risk is that administrator privileges allow attackers to exploit the second vulnerability. It allows executing any commands on the server. The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to get control over the server and move laterally within the infrastructure.
“We are not aware that a vulnerability has been exploited in the wild, but we can say with certainty that such severe vulnerabilities are often used in attacks on companies’ infrastructure,” Dimitrenko said. “The use of software assumes not only its initial setup, but also permanent and continuous service. If the vendor releases an update that includes a security fix, organizations should apply it in a timely manner. Also, don’t dismiss the additional protective measures, such as implementing SIEM systems in your infrastructure. If a company becomes a victim of an attack with zero-day vulnerabilities that are not publicly available and a vendor can’t provide a timely patch, protective software will stop the further lateral movement of attackers in the system.”
Threat actors recently demanded a $40 million ransom payment from the Broward County Public Schools district in Florida.
According to Bleeping Computer, the cyberattack forced the school system to shut down its IT systems last month. After negotiations between the Conti ransomware group and the school system failed, the threat actors published alleged screenshots of the ransom negotiations.
The malicious hackers ultimately lowered the ransom to $10 million, but it was still far more than the $500,000 the school district ended up paying.
Eddy Bobritsky is CEO of Minerva Labs.
“The surprising thing is the unbearable easiness of having to pay this huge amount of money,” he said. “You can see in the negotiation screenshots how it was so easy for the organization to pay $500,000 just for this attack to stop. And it is not because this organization has a lot of money. It is just because they had to return to their regular routine, and of course, if this case would have continued more days, the costs would’ve been much higher, not just because of the amount they had to pay, but also because of the risk for ruined reputation, the loss of working days and school days, and more.”
Schools, along with all kinds of organizations and businesses, have to invest in prevention solutions, Bobritsky said.
“We have to remember the unfair fact that small organizations with limited teams and low budgets have to protect themselves from the same attack that will occur in a large organization with a big team of experts and a budget of tens of millions of dollars,” he said. “The reality is that 80% of organizations don’t have the resources to have this kind of team and skill sets. It is important to realize that threat actors don’t seek just the big and well-founded organizations. And the loss can be felt much more in small organizations and businesses.”
Threat actors recently demanded a $40 million ransom payment from the Broward County Public Schools district in Florida.
According to Bleeping Computer, the cyberattack forced the school system to shut down its IT systems last month. After negotiations between the Conti ransomware group and the school system failed, the threat actors published alleged screenshots of the ransom negotiations.
The malicious hackers ultimately lowered the ransom to $10 million, but it was still far more than the $500,000 the school district ended up paying.
Eddy Bobritsky is CEO of Minerva Labs.
“The surprising thing is the unbearable easiness of having to pay this huge amount of money,” he said. “You can see in the negotiation screenshots how it was so easy for the organization to pay $500,000 just for this attack to stop. And it is not because this organization has a lot of money. It is just because they had to return to their regular routine, and of course, if this case would have continued more days, the costs would’ve been much higher, not just because of the amount they had to pay, but also because of the risk for ruined reputation, the loss of working days and school days, and more.”
Schools, along with all kinds of organizations and businesses, have to invest in prevention solutions, Bobritsky said.
“We have to remember the unfair fact that small organizations with limited teams and low budgets have to protect themselves from the same attack that will occur in a large organization with a big team of experts and a budget of tens of millions of dollars,” he said. “The reality is that 80% of organizations don’t have the resources to have this kind of team and skill sets. It is important to realize that threat actors don’t seek just the big and well-founded organizations. And the loss can be felt much more in small organizations and businesses.”
It may not be at the top of the headlines anymore, but the mass Microsoft Exchange exploitation isn’t over yet.
Huntress has been monitoring the situation since early February and has updated its resource page. In addition to the discoveries, the company reported the following findings:
Malicious hackers appear to have compromised 20% of the Exchange servers Huntress reviewed (those running affected versions).
Nearly 25% of the incident reports Huntress sent were to hosts who had been compromised more than once.
About 12% of the Exchange servers they’re monitoring still need patching.
Huntress’ John Hammond
The cyberattack was on Microsoft‘s on-premises Exchange business email software. The attack allowed access to email accounts and installation of malware to increase hackers’ dwell time inside a system.
We caught up with John Hammond, senior security researcher at Huntress, to find out the latest on the Microsoft Exchange exploitation.
Channel Futures: Is the threat from the Microsoft Exchange exploitation still very much real? If so, how?
John Hammond: The Exchange incident has taken up all of the month of March. And sadly, even now as we are in the early weeks of April, it continues. The threat is still very much real. Servers that are not patched are still being actively exploited. As public exploits are now available, any ill-intended actor can spray-and-pray across the internet looking for public-facing and vulnerable Exchange servers.
Scroll through the slideshow above for more of Hammond’s comments, as well as more cybersecurity news making headlines this week.
Read more about:
MSPsAbout the Author(s)
You May Also Like