Hackers are exploiting recently discovered vulnerabilities in Exchange email servers to drop ransomware, Microsoft has warned, a move that puts tens of thousands of email servers at risk of destructive attacks.
In a tweet late Thursday, the tech giant said it had detected the new kind of file-encrypting malware called DoejoCrypt — or DearCry — which uses the same four vulnerabilities that Microsoft linked to a new China-backed hacking group called Hafnium.
When chained together, the vulnerabilities allow a hacker to take full control of a vulnerable system.
Microsoft said Hafnium was the “primary” group exploiting these flaws, likely for espionage and intelligence gathering. But other security firms say they’ve seen other hacking groups exploit the same flaws. ESET said at least 10 groups are actively compromising Exchange servers.
Michael Gillespie, a ransomware expert who develops ransomware decryption tools, said many vulnerable Exchange servers in the U.S., Canada, and Australia had been infected with DearCry.
The new ransomware comes less than a day after a security researcher published proof-of-concept exploit code for the vulnerabilities to Microsoft-owned GitHub. The code was swiftly removed a short time later for violating the company’s policies.
Marcus Hutchins, a security researcher at Kryptos Logic, said in a tweet that the code worked, albeit with some fixes.
Threat intelligence company RiskIQ says it has detected over 82,000 vulnerable servers as of Thursday, but that the number is declining. The company said hundreds of servers belonging to banks and healthcare companies are still affected, as well as more than 150 servers in the U.S. federal government.
That’s a rapid drop compared to close to 400,000 vulnerable servers when Microsoft first disclosed the vulnerabilities on March 2, the company said.
Microsoft published security fixes last week, but the patches do not expel the hackers from already-breached servers. Both the FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a major risk to businesses across the United States.
John Hultquist, vice president of analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more ransomware groups trying to cash in.
“Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails,” said Hultquist.