Following Microsoft’s recent release of a mitigation tool aimed at addressing cyberattacks targeting on-premises Exchange servers, the company reported that 92% of the internet-facing servers affected by the ProxyLogon vulnerabilities have been patched. This marks a substantial improvement of 43% from the previous week, closing a tumultuous period rife with malware and espionage campaigns that have affected a multitude of organizations globally. Up to 10 advanced persistent threat (APT) groups have eagerly exploited these vulnerabilities.
As per telemetry data from RiskIQ, nearly 29,966 instances of Microsoft Exchange servers remain vulnerable, a significant decrease from 92,072 identified on March 10. The extensive nature of these attacks underscores a pressing cybersecurity challenge faced by businesses.
Prior to Microsoft’s patch release on March 2, Exchange servers were reportedly under attack from various Chinese state-sponsored hacking groups. The subsequent public disclosure of proof-of-concept exploits intensified the situation, enabling a wave of infections that has facilitated ransomware attacks and deployment of web shells for further exploitation on unprotected servers.
Cybersecurity firm F-Secure highlighted how the availability of automated attack scripts has enabled even inexperienced attackers to exploit vulnerable Microsoft Exchange Servers. In the weeks following Microsoft’s initial patch release, two new ransomware variants—”DearCry” and “Black Kingdom”—were identified as leveraging these vulnerabilities to successfully execute attacks.
Analysis by Sophos characterizes Black Kingdom as somewhat rudimentary in its execution. The attackers utilize the ProxyLogon flaw to gain initial access, deploying a web shell that subsequently downloads a PowerShell command to initiate the ransomware payload. This technique encrypts user files and demands a ransom in Bitcoin in exchange for the decryption key.
Mark Loman, Director of Engineering at Sophos, noted that the Black Kingdom ransomware demonstrates characteristics typical of a less experienced attacker, yet the low ransom demand of $10,000 in Bitcoin poses a significant threat as it remains within reach for many businesses. The potential for harm should not be underestimated, even from lower-quality threats.
The preemptive volume of attacks prior to the public acknowledgment of ProxyLogon has led authorities and cybersecurity experts to explore whether the exploit was shared or sold on the Dark Web, or if information leakage occurred within Microsoft’s Active Protections Program (MAPP) to third parties.
