According to Microsoft, Exchange Server vulnerabilities are being exploited

According to Microsoft, Exchange Server vulnerabilities are being exploited

Insecure actors are taking advantage of Microsoft Exchange Server vulnerabilities by installing a new ransomware strain on insecure servers.

Microsoft threat researcher Philip Missner confirmed the news reports on Twitter late Thursday. Ransom for a new family of human-powered ransomware: Win32 / Dzeko Crypta. Is found as A, and the surname Derry is given as it adds to the beginning of encrypted files. It adds the extension .CRYPT to those files.

Michael Gillespie of the ID ransomware website, which helps identify ransomware strains, also said in a tweet that the site had also posted a link to Canada, the U.S. Also posted a link to and have seen a number of sudden submissions with the IP addresses of exchange servers in Australia. Gillespie told Blapping Computer that the presentations began March 9.

Initial reports have not said which threat group is using this new weapon.

"The fact is that cybercriminals have easy access to a potentially large number of exchange servers, especially for small businesses that do not have the ability to set up if they are compromised, deed remediation." Callow, a researcher for British Columbia. Based Amisoft. “We really need governments to move quickly and provide the companies they need to secure their environments. "

Some cyber gangs gather terabytes of open-source intelligence about Internet software. Once a zero-day vulnerability appears, they sell a compiled list of known IP addresses or URLs for other gangs to run unsafe software, according to Ilya Kolochenko, the founder and chief architect of IlyaWeb SA. “It increases both speed and efficiency of exploitation. Such hacking operations in association with ransomware give criminals huge and easy profits.

However, today, I see no specific risk in the continued exploitation of Microsoft Exchange faults. First, some exploit conditions are required for some of the zero-days, such as a user account or an accessible web interface (server-side request forgery remote code execution) for SSRF RCE. "Thus, the breached organizations failed to enforce certain security strictures or IDR procedures. In addition, organizations that are still unexamined are potentially negligent and likely already contain a myriad of other vulnerabilities and attack vectors. Has been compromised by. "

Exploitation efforts have doubled

Check Point Software reports that threats are wasting time for actors to find ways to take advantage of vulnerabilities. On Thursday, the number of exploitation attempts in tracking organizations has doubled every two to three hours in the past 24 hours.

Vulnerable, duplicated as a proxylogon by some researchers, allow an attacker to read an email from an authentication server's email server without authentication or access to one's email account. Further vulnerability chinning enables attackers to fully handle the mail server.

Two incident response firms have told IT World Canada of at least five Canadian firms whose on-premises Exchange server was compromised. Earlier on March 2, Microsoft announced a vulnerability discovery.

News now leveled against exchange vulnerabilities ransomware makes it more urgent that Exchange administrators install security patches to block access to vulnerabilities and seek indicators of widespread, such as websail and backside intrusters may have left is.

Earlier this week, ESET said that at least 10 threat groups are trying to take advantage of the vulnerabilities publicly disclosed by Microsoft on 2 March.

Administrations are making good progress in patching, but thousands of Exchange servers are insecure. Palo Alto Networks said late Thursday that its expense-tracking platform counted 2,700 unsafe servers on the Internet, down from 4,500 on Tuesday. In the US, the number of unpublished Internet-connected Exchange servers was down from 30,000 on Tuesday. There are still an estimated 30,000 unrestricted servers left.

Matt Kranning, chief technology officer of Cortex at Palo Alto Networks, said in a statement that it is a deserted area.

"I have never seen a security exchange rate so high for any system as widely deployed as Microsoft Exchange," he said. "Nevertheless, we urge those organizations to run all versions of Exchange before their systems are compromised because we know the attackers have at least two months before Microsoft releases patches in March. Till then the forests were taking advantage of these naught-less vulnerabilities. "

Other countries include unattainable Internet-connected Exchange servers on Thursday:

Germany - 11,000

U.K. - 4,900

France - 4,000

Italy - 3,700

Russia - 2,900

Switzerland - 2,500

Australia - 2,200

China - 2,100

Austria - 1,700