A few days ago, Microsoft disclosed ongoing attacks coordinated by several state-backed threat groups abusing ProxyLogon vulnerabilities. Within a few weeks, these attacks have become a menace and are spreading like wildfire.
What is happening?
A large number of ransomware and botnet operators are active on the scene and taking advantage of the recently discovered ProxyLogon flaws in Exchange Server 2019, Server 2016, and Server 2013.
- Threat actors are fully taking advantage of the slow patch and mitigation process of the Microsoft Exchange Server as attack rates are getting doubled every few hours, according to Check Point Research.
- The countries most affected by these attacks are Turkey (19%), the U.S (18%), and Italy (10%). Government, manufacturing, military, and financial are the most targeted sectors.
- Microsoft has warned that some cybercriminals are using a strain of ransomware identified as DearCry that exploits still unpatched Exchange servers for propagation purposes.
- Lemon_Duck, a cryptomining botnet, takes advantage of Microsoft Exchange ProxyLogon exploits, as well.
The threat won’t stop
In addition to all the active attacks in the wild, a security researcher has released a proof-of-concept exploit that only needs slight modification to install web shells on Exchange servers exposed to the ProxyLogon vulnerabilities, which may worsen the situation further.
Alerts and guidance pouring in
- An emergency directive has been issued by the CISA. This directive ordered several agencies to quickly update or disconnect their Microsoft Exchange on-premises servers and check their networks for indicators of compromise.
- The Biden administration strongly suggested updating the servers as soon as possible, stating that attacks abusing the vulnerabilities have been escalated rapidly, and the window for updating the exposed servers is very short.
- The NCSC (U.K) has urged businesses to patch against vulnerabilities in Exchange as only half of 7,000 impacted servers were secured at the time of reporting.
Tens of thousands of organizations are already victims of these ongoing attacks exploiting the ProxyLogon flaws. Even though patches and remediation steps are already released, organizations are still lagging behind in applying them as more tens of thousands of Exchange Servers are yet unpatched. Experts and government agencies are urging organizations to take this on high priority and patch the systems at the earliest.