The floodgates appear to be open on critical bugs in Microsoft software as a predictable bevy of scammers — from a ransomware actor to cryptocurrency conmen — have flocked to vulnerable email servers.
The new incidents make clear that what started as a reported China-linked spying operation to steal data from the Microsoft email program has devolved into an opportunistic romp for criminals.
The number of attempts to exploit the email software program, known as Exchange Server, doubled every two to three hours over the course of 24 hours, Israeli security firm Check Point said Thursday. Government organizations, along with manufacturing and financial firms, were the top sectors targeted. The researchers cautioned, however, that they have yet to see intrusions that successfully string all of the vulnerabilities together.
At least one ransomware actor has now entered the fray.
Microsoft said late Thursday that crooks were using a new family of ransomware, dubbed DearCry, after breaking into organizations with the vulnerable email servers. But rather than a large-scale event, just a handful of servers in Australia, Canada and the U.S. appeared to be affected by the new ransomware strain as of Thursday, according to researcher Michael Gillespie.
Operators of botnets — the hordes of compromised computers used for spamming — also see an opportunity in the vulnerable email servers. The people behind the cryptocurrency-mining botnet known as Lemon Duck, active since 2018, have been conducting mass scanning for vulnerable servers and in some cases successfully exploited them, Costin Raiu, a researcher at anti-virus firm Kaspersky, said Friday.
Microsoft has urged organizations to apply security updates, while also providing fixes for older, unsupported versions of Exchange Server. But security experts warned last week that tens of thousands of U.S. state and local and businesses could be vulnerable to the hacking. Multiple security firms have released detection tools to mitigate the intrusions, and some researchers are working late hours to help resource-strapped organizations.
The malicious Exchange Server activity has also prompted high-level meetings of the Biden administration’s National Security Council, and an emergency directive from the Department of Homeland Security for federal civilian agencies to address the issue. So far, none of those agencies have been compromised in the Exchange Server hacks, according to DHS cybersecurity officials.