Black Hat hackers, or simply cybercriminals, can be effective in stealing, leaking, or encrypting data in efforts to extort money from organizations. With the advent of the ProxyLogon vulnerabilities for Microsoft Exchange
servers, attackers are now taking advantage of the situation and may ramp up attacks in the coming weeks.
Earlier this week, we reported on BlackKingdom attempting to encrypt files
on vulnerable Exchange servers and they are at it again. Yesterday, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont reported that BlackKingdom ransomware had, in fact, encrypted files on his honeypot servers. What the criminals failed to do is exclude system critical files so when the system was turned off, it would not boot afterward. That is not all that helpful if you are trying to send a message and collect a ransom.
Thankfully, as time goes on, vulnerable servers are decreasing in number, with Microsoft reporting “92% of worldwide Exchange IPs are now patched or mitigated.” That still leaves 8% vulnerable and many criminals will still go after those remaining targets. MalwareTech tweeted
earlier today that the BlackKingdom ransomware is the worst he has seen with the potential of recursive encryption occurring.
Ultimately, companies should patch quickly to mitigate the Microsoft Exchange vulnerabilities. Granted, some smaller organizations may not have a dedicated security team, so it may be more difficult to get things fixed. Subsequently, Microsoft has released a one-click script to mitigate Microsoft Exchange vulnerabilities
in the interim until someone can come in and fix things properly. At the end of the day, patch early, patch often, and harden against cybercriminals. You would not leave your front door unlocked at night, so why would you leave your servers vulnerable?