More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting Exchange servers on a site, the company disclosure that patches have been applied to 92% of all internet-facing servers affected by ProxyLogon vulnerabilities.
The development, which is a 43% improvement from the previous week, prevents a hurricane of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat groups (APT) in move quickly opportunistically to exploit the bugs.
According to telemetry data from RiskIQ, about 29,966 cases of Microsoft Exchange servers are still vulnerable to attacks, down from 92,072 on March 10.
While Exchange administrators were under attack by several state-sponsored hacking groups before Microsoft’s patch on March 2, releasing public proof-of-concept sports was an infection-feeding frenzy, opening the door for escalating attacks like ransomware and web shell hijackers planted on unmatched Microsoft Exchange servers to supply cryptominers and other malicious software.
“To make matters worse, proof-of-concept automated attack scripts are made publicly available, making it possible for unskilled attackers to even gain remote control of a vulnerable Microsoft Exchange Server, “the cybersecurity company F-Secure stated in a write-up last week.
In the weeks since Microsoft first released its patches, it was discovered that at least two different types of ransomware were leveraging the bugs to install “DearCry” and “Black Kingdom.”
Cybersecurity firm Sophos’ analysis of Black Kingdom paints the ransomware as “somewhat elementary and amateurish in its constitution,” with the attackers abusing the ProxyLogon bug to use a web shell, using it to issue a command PowerShell downloads ransomware payload, which encrypts the files and demands a bitcoin ransom in exchange for the private key.
“Black Kingdom ransomware targeting unmatched Exchange servers has all the features of being created by a motivated script-kiddie,” said Mark Loman, Sophos’ engineering director. “The encryption tools and techniques are imperfect but the ransom of $ 10,000 in bitcoin is low enough to be successful. All threats, even seemingly low quality ones, should be taken seriously.”
The number of attacks even before ProxyLogon’s public disclosure has prompted experts to investigate whether exploitation was shared or sold on the Dark Web, or Microsoft’s partner, with whom the company shared information about the vulnerabilities through its Program Microsoft Active Protections (MAPP), either accidentally or intentionally dropped to other groups.