MS Exchange Servers Are Quickly Being Patched, But ProxyLogon Hackers Are Running Rampant
Black Hat hackers, or simply cybercriminals, can be effective in stealing, leaking, or encrypting data in efforts to extort money from organizations. With the advent of the ProxyLogon vulnerabilities for Microsoft Exchange
servers, attackers are now taking advantage of the situation and may ramp up attacks in the coming weeks.
Earlier this week, we reported on BlackKingdom attempting to encrypt files
on vulnerable Exchange servers and they are at it again. Yesterday, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont reported that BlackKingdom ransomware had, in fact, encrypted files on his honeypot servers. What the criminals failed to do is exclude system critical files so when the system was turned off, it would not boot afterward. That is not all that helpful if you are trying to send a message and collect a ransom.
BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:\windows, however my storage drivers were in a different folder and it encrypted those... meaning the server doesn't boot any more. If you're reading BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO
— Kevin Beaumont (@GossiTheDog) March 23, 2021
Thankfully, as time goes on, vulnerable servers are decreasing in number, with Microsoft reporting “92% of worldwide Exchange IPs are now patched or mitigated.” That still leaves 8% vulnerable and many criminals will still go after those remaining targets. MalwareTech tweeted
earlier today that the BlackKingdom ransomware is the worst he has seen with the potential of recursive encryption occurring.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:
— Security Response (@msftsecresponse) March 22, 2021
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week. pic.twitter.com/YhgpnMdlOX
Ultimately, companies should patch quickly to mitigate the Microsoft Exchange vulnerabilities. Granted, some smaller organizations may not have a dedicated security team, so it may be more difficult to get things fixed. Subsequently, Microsoft has released a one-click script to mitigate Microsoft Exchange vulnerabilities
in the interim until someone can come in and fix things properly. At the end of the day, patch early, patch often, and harden against cybercriminals. You would not leave your front door unlocked at night, so why would you leave your servers vulnerable?