Black Kingdom/Pydomer Ransomware Operators Targeting the Exchange Server Vulnerabilities

Threat actors targeting the Exchange Server vulnerabilities that Microsoft revealed in early March have now included the Black Kingdom/Pydomer ransomware.

Despite the availability of additional mitigations, the zero-day vulnerabilities had been targeted in live attacks long before patches were released on March 2, with exponentially more adversaries picking them up over the past three weeks.

The number of unpatched Exchange installations has decreased dramatically, from about 80,000 on March 14 to less than 30,000 on March 22.

“As of today, we’ve seen a substantial reduction in the number of servers that are still vulnerable – over 92 percent of identified global Exchange IPs have been fixed or mitigated. In a March 25 blog post, Microsoft said, “We continue to work with our customers and partners to mitigate the vulnerabilities.”

The number of attacks on the still-vulnerable servers, on the other hand, hasn’t decreased. More malware families and botnets are now attempting to hack the insecure servers, according to the tech firm.

SEE ALSO:
In the Age of Cyber-Information Warfare, Protecting Human Rights

More than two weeks ago, DoejoCrypt, also known as DearCry, was the first ransomware family to threaten the Exchange vulnerabilities. According to Microsoft, the Black Kingdom/Pydomer ransomware has since entered the fray.

Pydomer operators were seen mass scanning for and attempting to compromise unpatched Exchange servers. Pydomer operators are reported to be targeting publicly revealed vulnerabilities, including Pulse Safe VPN flaws.

“They began later than some other attackers, with several compromises happening between March 18 and March 20, when there were less unpatched systems available,” the tech giant notes.

The gang’s webshell was found on about 1,500 servers, but ransomware wasn’t installed on any of them. According to Microsoft, the adversaries are likely to try to monetize the gained unauthorised access in a different way.

However, on systems where the ransomware was installed, the attackers used a “non-encryption extortion technique,” dropping only a ransom note to warn victims of their demands.

The tech firm warns that if the note is found, it should be taken seriously since the attackers had complete access to networks and were possibly able to exfiltrate data.

Another adversary to join the Exchange party in recent weeks was the group behind the Lemon Duck cryptocurrency botnet, which used “a fileless/web shell-less choice of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on a variety of exploit styles in others.

SEE ALSO:
How to Protect your Data when Playing Online?

Although continuing to run their usual email-based campaigns, the Lemon Duck operators infiltrated multiple Exchange servers and developed into more of a malware loader than a simple miner, according to Microsoft.

Attacks on Exchange servers can continue to have an effect on organisations even after patches have been implemented, according to the company, due to the use of stolen credentials or persistent access.

“Attackers use a combination of on-premises Exchange Server vulnerabilities to get around security and write files and run malicious code. “Updating to a supported Cumulative Update and installing all security patches is the safest and most complete remediation for these vulnerabilities,” Microsoft concludes.

Leave a Reply
Previous Post
Ransomware

‘Hades’ Ransomware Hits CrowdStrike, Accenture, and Awake Security

Next Post
Cyberattack

Cyber-Attack on CompuCom Expected to Reach the $28 Million

Related Posts