March 2021
Cybercriminals worldwide are aggressively targeting any organization that they view as capable of paying a ransom in order to recover their data or avoid public disclosure of sensitive information. Attackers either create their own malware to launch ransomware attacks, or they can purchase or license it from a variety of sources on the dark web. What Is Ransomware?. Ransomware is a for-profit business that targets organizations by encrypting and stealing their data and asking for a ransom payment to return access to their data.
In recent weeks, at least 30,000 organizations across the United States alone have been attacked by ransomware. However, many security organizations estimate that hundreds of thousands of Microsoft Exchange Servers have been seeded. The infected servers contain ransomware that allows attackers world-wide to take control of these systems.
In each incident, the intruders have left behind a “script”, an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The script gives the attackers administrative access to the victim’s computer servers.
A number of known vulnerabilities exist in various version of MS Exchange Server. Microsoft recommends that all Exchange Servers be updated to the latest patches. This is however easier said than done. Many Exchange Servers are running on operating systems no longer supported by Microsoft or organizations that do not have the budget or the know-how to get the servers updated. While there are over 120 known MS Exchange Server vulnerabilities, these are some of the most severe.
The number of vulnerabilities provide hackers with a variety of potential attack vectors. In the case of a remote code execution (RCE) vulnerability, the rewards are high for hackers who can gain access. In many situations, IT staff do not remove the embedded malicious access after they patch the server. This is just one example of an exploit vector common with remote access attacks.
Source: Microsoft 3.25.21 blog
One thing to keep in mind is that even if servers are patched and unauthorized access is removed, these servers continue to be vulnerable to phishing email and insider attacks. Email phishing is one of the biggest threats and requires drastic social engineering and behavioral changes to improve these threats.
There is a fundamental flaw in the approach most security protection is applied today. We call it the “Rearview Mirror” approach. The current methods rely on reacting to an attack after the fact. In other words, Microsoft responds by creating patches to known security breaches, which is too late.
The rear view mirror approach has proven to be disastrous and is not the solution. Hackers have demonstrated a great ability to adapt and evolve using reverse engineering and leaving untraceable open doors.
The most common ransomware examples that have become extremely effective in MS Exchange server attacks are:
At Hackerstrike, we understand that regardless of the defenses that are in place, hackers will eventually gain access to a network or server. We are focused on what happens next. While other vendors look for known malware(Rear View Mirror), Hackerstrike utilizes advanced Machine Learning (ML) as part of our extended detection and response (XDR) solution to recognize and halt anomalous behavior.
Hackerstrike recognizes behavioral changes of systems. We then stop the processes on the server from damaging infected systems or propagating to other devices over a network. This approach also helps reduce the incidence of false positives that plague SRM leaders.
Organizations of all sizes need tools that work with but go well beyond the function of traditional anti-virus solutions. Hackerstrike is a full-protection platform designed from the ground up to provide real-time detection and protection of all of your systems using A.I.-based continuous learning technology. By examining metadata obtained from the Operating System, our ransomware detection and prevention solution can understand, identify and detect ransomware behavior and stop it, even if traditional antivirus tools can’t find the issues.
The continuous learning Machine Learning (ML) engine in Hackerstrike is constantly scanning devices and the network for any anomalies that fall outside of normal operating behavior. When an attack is launched when an employee or contractor clicks on a link in a spear phishing email for example, Hackerstrike immediately detects the behavior of the malware, alerts administrators and takes the appropriate steps based on the device and user under attack. This can include actions such as quarantining the device from network access, to prevent the malicious code from replicating to other devices on the network.
Successful ransomware attacks rely on modified malware to evade known thread analysis which is the common protection method used by legacy vendors or by phishing (insider) attacks.
It is clear these methods do not work. The nature and speed of the ransomware attacks on MS Exchange Servers requires a different approach. HackerStrike’s artificial intelligence based technology creates a deep operating profile of the server and regardless of any of the attack vectors, we can identify anomalous behavior instantly and stop the malignant process.
This approach ensures continuous protection regardless of ransomware used or even in cases of phishing attacks.For more information, visit www.hackerstrike.com or email us at info@hackerstrike.com
Want to join the HackerStrike news?