Following the discovery of the ProxyLogon Exchange vulnerabilities, Microsoft Security Intelligence has identified another campaign targeting unpatched Exchange Servers—this time to deliver DearCry ransomware. Of unique note here is that these DearCry attacks are “human powered,” which means they rely on attackers at keyboards executing commands rather than an automated attack.
As it continues to support users with mitigation efforts against ProxyLogon, Microsoft has also released a new script-based tool you can download here. The tool will mitigate against current known attacks that use CVE-2021-26855, which is the first link in the ProxyLogon attacks. It will also run the MSERT tool and attempt to reverse any changes made by identified threats. You can read more about the tool and how to download here: Information on One-Click Microsoft Exchange On-Premises Mitigation Tool.
It can get a little confusing when talking about vulnerabilities and cybersecurity in general if everyone is not communicating with the same technical language. There are words that are common to everyone’s lexicon—like patching, antivirus, or vulnerability—but these words don’t carry the same meaning to everyone. A quick discussion about vulnerabilities versus damage done by exploiting those vulnerabilities can help get everyone on the same page.
Vulnerabilities are weaknesses in a system that can cause the system to behave in undesirable ways. In information technology this typically refers to anything a threat source can trigger or exploit that would compromise the confidentiality, integrity, or availability of an information system. Vulnerabilities aren’t always what cause damage. Rather, they are what allows something else to do the damage.
The ProxyLogon attacks string together multiple vulnerabilities that by themselves don’t do any real damage. They compromise the integrity of the target system, but otherwise cause no harm by themselves. It’s what an attacker does after leveraging the vulnerabilities that can cause damage. The original Hafnium campaign was playing a long game. The attackers wanted to stay undetected and likely focused on pilfering intellectual property and other intelligence. In contrast, newer attacks leveraging ProxyLogon are being used to deliver ransomware and other destructive attacks. It’s not the vulnerabilities so much as the payload being delivered by attackers that is of concern.
The good news is that while the ProxyLogon vulnerabilities started out as being unpreventable, good security practices can help mitigate the scope and scale of damage done by payloads delivered by ProxyLogon. A layered approach to security is key to help protect against these types of attacks.
Lewis Pope is Head RMM Nerd for SolarWinds MSP you can follow him on Twitter at @cybersec_nerd.