Further comment and analysis on the MS Exchange situation
March 2021 by Experts
Following last week’s update on the Microsoft exchange hack and DearCry developments, F-Secure and Varonis spokespeople have provided further comment and analysis on the situation and I wanted to share these with you below in case you are writing anything further on the story.
Antti Laatikainen Senior Security Consultant at F-Secure -
“Tens of thousands of servers have been hacked around the world. They’re being hacked faster than we can count. Globally, this is a disaster in the making.
We’re nearing the end of the period of time when we can influence how much data is stolen. These attacks aren’t powered by black magic. Companies that have security monitoring capabilities in place—such as Endpoint Detection and Response (EDR) or Rapid Detection and Response (RDS) along with networking monitoring and an effective patching policy can fight back. There are a range of things they can do manually to prevent a full disaster. I just encourage them to do them immediately.
The GDPR data protection regulation demands that theft of personal data must be reported to the data protection authorities within 72 hours. You have to expect that the number of GDPR breach reports coming in the next few weeks will be historic. Your company doesn’t have to be on the long list of organizations reporting breaches tomorrow, if your take the right steps today.”
Matt Lock Technical Director at Varonis –
“The DearCry ransomware appears to take advantage of the ProxyLogon Exchange on-prem vulnerability which allows unauthenticated external attackers to connect to internet-exposed Exchange servers. Previously observed attacks leveraging this vulnerability used it to steal mailbox information then as a launching point to for additional Exchange vulnerabilities designed to elevate rights, facilitate further intrusion into corporate networks, and maintain persistence for on-going cybercriminal operations.
The DearCry attack is much less sophisticated, and direct – it appears to be a smash-and-grab attempt to wring out cash from organizations struggling to get their Exchange servers patched. The group behind DearCry is not the first exploit the ProxyLogon vulnerability, as there are reports of at least 10 separate APT groups using it, and with PoC exploit code available in the wild, it is likely this number will continue to grow as long as there are unpatched Exchange servers.
The best advice is to patch immediately. Microsoft offers a variety of scripts that help test if your Exchange servers are vulnerable, as well as some options to triage the situation if patching is not something that can be done immediately”.