the staff of the Ridgewood blog
Ridgewood NJ, hackers continue to target vulnerable Exchange servers, with a ten-fold increase in the number of attempted attacks from March 11 and March 15, 2021 alone. In addition to the nation-state hackers that first exploited several zero-day vulnerabilities in Microsoft Exchange, ransomware threat actors and cryptocurrency miners are also targeting vulnerable servers. According to Microsoft, a new ransomware family known as DearCry is infecting networks after initial Exchange server compromises.
As of this writing, victims appear to be located in the US, Canada, and Australia. Additionally, operators of the cryptocurrency-mining botnet Lemon Duck are also targeting vulnerable servers. Many tools and resources have been provided over the last several weeks to assist network defenders in both updating systems and searching for indicators of compromise.
On March 15, Microsoft released a one-click Microsoft Exchange on-premises mitigation tool to assist organizations without dedicated IT security teams in mitigating the highest risks to internet-connected on-premises Exchange servers, both supported and out-of-support, prior to patching. On March 16, Microsoft also released guidance for responders on investigating and remediating the Exchange server vulnerabilities. Furthermore, CISA published several malware analysis reports (MARs) identifying web shells associated with the exploitation of vulnerable Exchange servers.