Microsoft: Ransomware gangs are using unpatched Exchange servers to gain access, so get updating

At least one ransomware group has been spotted using Exchange Server vulnerabilities to deploy BlackCat ransomware on target networks, according to Microsoft. 

Microsoft has warned that one cyber-criminal gang has used an unpatched Exchange Server to gain entry to a target organization to deploy the notorious BlackCat/ALPHV ransomware.

The company provides a case study of one cyber-criminal gang using Exchange Server flaws in BlackCat ransomware attacks as well as an overview of multiple ransomware gangs that previously used other ransomware.

SEE: Cloud computing dominates. But security is now the biggest challenge

The FBI in April warned that BlackCat ransomware had compromised at least 60 organizations worldwide since March 2022. BlackCat is the first ransomware to be built on the modern Rust programming language. 

The FBI in April warned that BlackCat affiliates use previously compromised user credentials to gain initial access to a victim network, but didn’t identify Exchange flaws as a point of entry. However, researchers at Trend Micro at the time reported BlackCat affiliates had used the Exchange CVE-2021-31207 flaw initial entry and to install a web shell on the server for remote access.  

Microsoft doesn’t specify which Exchange vulnerability was used in the BlackCat compromise it investigated, but it does provide a link to a blogpost about four on-premise Exchange Server vulnerabilities from its March 2022 Patch Tuesday updates. It warns of attacks using the flaws to insert web shells on Exchange servers for persistence and remote access.

As Microsoft explains in a new blogpost, BlackCat is a ransomware-as-a-service operation, consisting of multiple actors that may use different tools and techniques. 

Thus, no two BlackCat deployments might look the same said Microsoft. 

“BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different,” it said.

The BlackCat affiliate Microsoft highlights took two weeks to deploy BlackCat after exploiting the unpatched Exchange servers for initial access. It used the PsExec utility to deploy BlackCat. Between those two points, the attackers explored system and network environments and gathered Active Directory account data, dumped and stole credentials, signed into multiple devices using the Remote Desktop Client, and stole data and intellectual property for subsequent double-extortion.  

The other incident it details involved attackers using previously compromised credentials to access an internet-facing Remote Desktop server. 

Microsoft also notes that more ransomware affiliates are turning to BlackCat.  

For example, DEV-0237, which Mandiant calls FIN12, has in the past distributed Hive, Conti, and Ryuk ransomware. Microsoft observed that this group added BlackCat to their list of payloads beginning March 2022. 

Also, DEV-0504, a group that uses PsExec to distribute various ransomware strains began distributing BlackCat in December 2021. Previously, it has distributed BlackMatter, Conti, Lockbit 2.0, Revil, and Ryuk. 

SEE: Don’t let your cloud cybersecurity choices leave the door open for hackers

“In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers,” Microsoft says. 

“Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible.”