Recent MS Exchange Attacks

In recent weeks, at least 30,000 organizations across the United States alone have been attacked by ransomware. However, many security organizations estimate that hundreds of thousands of Microsoft Exchange Servers have been seeded. The infected servers contain ransomware that allows attackers world-wide to take control of these systems.

In each incident, the intruders have left behind a “script”, an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The script gives the attackers administrative access to the victim’s computer servers.

MS Exchange known severe vulnerabilities

A number of known vulnerabilities exist in various version of MS Exchange Server.  Microsoft recommends that all Exchange Servers be updated to the latest patches.  This is however easier said than done.  Many Exchange Servers are running on operating systems no longer supported by Microsoft or organizations that do not have the budget or the know-how to get the servers updated.  While there are over 120 known MS Exchange Server vulnerabilities, these are some of the most severe.  

• Microsoft Exchange Memory Corruption Vulnerability: This vulnerability allows remote code execution in Microsoft Exchange software when the software fails to properly handle objects in memory. 

• Microsoft Exchange Memory Corruption Vulnerability: Exploiting this vulnerability allows the attacker to execute A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

• Microsoft Exchange Remote Code Execution Vulnerability: A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages,
• Microsoft Exchange Memory Corruption Vulnerability: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka “” This affects Microsoft Exchange Server.

• Microsoft Malware Protection Engine Remote Code Execution Vulnerability: A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. This vulnerability is specially dangerous as it affects Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Exchange Server, Microsoft System Center, Microsoft Forefront Endpoint Protection.

How Does Ransomware Work Against MS Exchange Exchange Servers?

The number of vulnerabilities provide hackers with a variety of potential attack vectors.  In the case of a remote code execution (RCE) vulnerability, the rewards are high for hackers who can gain access. In many situations, IT staff do not remove the embedded malicious access after they patch the server. This is just one example of an exploit vector common with remote access attacks.  

Source: Microsoft 3.25.21 blog

One thing to keep in mind is that even if servers are patched and unauthorized access is removed, these servers continue to be vulnerable to phishing email and insider attacks.  Email phishing is one of the biggest threats and requires drastic social engineering and behavioral changes to improve these threats.

Rear View Mirror Security Approach Does Not Work

There is a fundamental flaw in the approach most security protection is applied today.  We call it the “Rearview Mirror” approach.  The current methods rely on reacting to an attack after the fact.  In other words, Microsoft responds by creating patches to known security breaches, which is too late.

The rear view mirror approach has proven to be disastrous and is not the solution. Hackers have demonstrated a great ability to adapt and evolve using reverse engineering and leaving untraceable open doors.

The most common ransomware examples  that have become extremely effective in MS Exchange server attacks are:

• DearCry uses a combination of AES-256 and RSA-2048 encryption, and encrypted files are given the .CRYPT extension. Once encryption takes place, the inevitable ransom note is deployed, as a file called readme.txt.

• DoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released.

• Lemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting a different exploit style. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities.

HackerStrike for MS Exchange Server Ransomware Protection

A Different Approach

At Hackerstrike, we understand that regardless of the defenses that are in place, hackers will eventually gain access to a network or server. We are focused on what happens next. While other vendors look for known malware(Rear View Mirror), Hackerstrike utilizes advanced Machine Learning (ML) as part of our extended detection and response (XDR) solution to recognize and halt anomalous behavior. 

Hackerstrike recognizes behavioral changes of systems. We then stop the processes on the server from damaging infected systems or propagating to other devices over a network. This approach also helps reduce the incidence of false positives that plague SRM leaders.

Organizations of all sizes need tools that work with but go well beyond the function of traditional anti-virus solutions. Hackerstrike is a full-protection platform designed from the ground up to provide real-time detection and protection of all of your systems using A.I.-based continuous learning technology. By examining metadata obtained from the Operating System, our ransomware detection and prevention solution can understand, identify and detect ransomware behavior and stop it, even if traditional antivirus tools can’t find the issues. 

The continuous learning Machine Learning (ML) engine in Hackerstrike is constantly scanning devices and the network for any anomalies that fall outside of normal operating behavior. When an attack is launched when an employee or contractor clicks on a link in a spear phishing email for example, Hackerstrike immediately detects the behavior of the malware, alerts administrators and takes the appropriate steps based on the device and user under attack. This can include actions such as quarantining the device from network access, to prevent the malicious code from replicating to other devices on the network.

Key Benefits of Hackerstrike

• Quickly detect zero-day ransomware attacks providing instant protection with a few clicks.
• Easy to use, no cybersecurity expertise required
• Deployable on-premise, or in- cloud and hybrid environments
• Manage all devices using a single cloud-based console
• Stop ransomware spread in the network with our proprietary Autonomous self-healing technology

Summary

Successful ransomware attacks rely on modified malware to evade known thread analysis which is the common protection method used by legacy vendors or by phishing (insider) attacks.  

It is clear these methods do not work. The nature and speed of the ransomware attacks on MS Exchange Servers requires a different approach.  HackerStrike’s artificial intelligence based technology creates a deep operating profile of the server and regardless of any of the attack vectors, we can identify anomalous behavior instantly and stop the malignant process.

This approach ensures continuous protection regardless of ransomware used or even in cases of phishing attacks.For more information, visit www.hackerstrike.com or email us at info@hackerstrike.com