A December report from non-profit the Identity Theft Resource Center (ITRC) argued that ransomware and phishing are now more popular than traditional data breaches as they are easier to carry out. It’s also increasingly favored by cyber-criminals. Ransomware and phishing are now more popular than traditional data breaches. Ransomware would be the perfect low-risk, high reward way to do so. One new report even claims that some governments are increasingly looking to cyber-attacks to generate revenue rather than geopolitical advantage.
It can be seen as part of a trend whereby the lines between nation state and cybercrime attacks are growing blurred. This highlights just how ubiquitous ransomware has become these days. Even the Hafnium state-sponsored group has been linked in new research to a ransomware group known as Hades. One vendor recently claimed it detected a 57% increase in ransomware attacks over the start of 2021, while at the same time seeing Exchange Server infections triple in just a week. That’s because those running this version often have fewer resources to spend on security or patching - organizations in the education, local government, and SMB sectors. Because the vulnerabilities affected only the on-premises version of Exchange, some experts argued that it could cause more widespread damage. Microsoft warned of the DearCry variant being used in attacks, then a few days later Sophos explained that the group behind Black KingDom was also targeting the exposed Exchange Server. The Ransomware Connectionįrom the very start there were concerns over ransomware. One report claimed that as many as 30,000 US organizations were hacked in this way, with many more around the world falling victim. By installing a simple web shell on the compromised machines, the attackers had their very own backdoor to remotely perform a range of post-exploitation activity like deploying ransomware. It took just a week from the day Microsoft patched the vulnerabilities for as many as 10 APT groups to launch their own attacks. It wasn’t long before other groups caught wind that there could be some serious gains to be made from so many exposed Exchange servers around the world. It took just a week for as many as 10 APT groups to launch their own attacks. The Hafnium attackers were observed stealing passwords from the servers, which allowed them to do this covertly.
The beauty of targeting Exchange Server is that the endpoints contain sensitive data themselves, but can also be used as a jumping-off point to move laterally across the victim’s network in search of higher value information. It’s unclear what they were after this time, but cyber-espionage for geopolitical gain is usually the name-of-the-game for such groups. The earliest attacks exploiting the four Exchange Server bugs patched by Microsoft were traced back to “Hafnium.” This Chinese state-sponsored group has previously been observed targeting various US organizations in sectors including infectious disease research, legal, higher education, defense, and NGOs. Mitigating this risk should be a priority for any security team, not just those running Exchange Server. If any were needed, it’s another clear reminder that ransomware remains one of the most potent threats facing organizations today, and one that even nation states may be leveraging. Increasingly, it is ransomware that is being deployed on these exposed endpoints as attackers try to maximize their monetization efforts. In just a few days, multiple threat groups had joined in with their own attacks and tens of thousands of endpoints in the US alone were thought to have been compromised. The reason was simple: it had detected a nation state adversary exploiting the related vulnerabilities in attacks on Exchange email servers. At the start of March, Microsoft took the unusual step of releasing four “out-of-band” patches to its customers.
0 kommentar(er)
