Microsoft Launches Yet Another Plead to Secure Exchange Servers

• Microsoft says there is still a large number of unpatched systems out there, calling admins to update.
• Malicious actors have been very quick to respond to the published information and even created a special ransomware for it.
• This weekend is bound to bring catastrophe to a large number of organizations and businesses.

Microsoft’s security team has published a piece to update us on the situation with the ongoing exploit of vulnerable Exchange servers and to also urge admins to finally patch their systems. As the tech giant warns, the attacks are still on the rise, mostly targeting small to medium-sized businesses but some large organizations too.

While the situation started with Chinese state-supported hackers (HAFNIUM), it is now completely out of control, as literally every level of threat actor has joined in the exploit game. Such is the spectrum of exploitation right now that even a new and specialized ransomware called “DearCry” is being deployed against vulnerable Exchange servers.

We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.

— Microsoft Threat Intelligence (@MsftSecIntel) March 12, 2021

Once again, Microsoft urges admins to first apply all available security updates to every system and then check whether any systems have already been compromised. In that case, removing those from the network and following the recommended cleaning steps is advised.

To illustrate the broad scope of the ongoing attacks, Microsoft has shared some relevant stats. On March 1, 2021, the number of Exchange servers that were discoverable through online scans was 400,000. At that time, all of them were vulnerable as Microsoft released fixes for the four 0-days on March 2, 2021.

By March 9, 2021, a full week later, 100,000 servers remained vulnerable to the vulnerabilities. And today, there are about 82,000 left to be updated, still providing attackers with a large pool of potential targets.

We knew that these flaws would stay around for a while, as patching can never be immediate. However, in this case, the situation spiraled out of control pretty quickly, with malicious actors proving extremely ready to respond to the newly published discoveries. All sings advocate that this will be a very hard weekend for organizations that remain vulnerable, and the prospect of ransomware infections is the worst now.

Microsoft is sharing CISA’s official ransomware protection guide, which should provide some solid advice on how to stay safe from this kind of trouble, but in general, patching is your best bet. With more than eighty thousand systems remaining vulnerable this weekend, the only hope for those risking it is that they will “get lost in the crowd.” The more you wait and postpone patching, the worst your chances will get.