Let us discuss the issue of DearCry, a new strain of ransomware that several threat actor groups are deploying to attack vulnerable Exchange servers.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server itself, and access to connected devices on the same network. Attackers typically install a backdoor, in the shape of a webshell that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits.
As a refresher, the Microsoft Exchange attacks using the ‘ProxyLogon’ vulnerability, and previously associated with the dropping of malicious web shells, are taking on a ransomware twist. Until now, the main aim of the attack has been to initially compromise to allow for data exfiltration, with a bit of cryptomining on the side.
ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! A view of the ProxyLogon can be watched in the
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!
What DearCry delivers is an additional vector of attack, of which anybody can now download the DearCry exploit and effect it against a vulnerable Exchange. This has changed significantly within the past week where we have seen the activities being conducted upon a mainly Nation State level, now being undertaken potentially by ‘Script Kiddies’ against corporate Exchange environments.
The danger of this pivot to ransomware is the sheer number of potential targets. Needless to say, it is essential that you install the Exchange updates required to keep your systems safe from harm. To take the attack one stage further, the cyber criminals are actively looking to feed off the Exchange bugs. Ransomware attackers spreading a strain called DearCry are attempting to install the malware after compromising Exchange servers, according to Microsoft.
"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," Microsoft warned in a tweet. Ransom:Win32/DoejoCrypt.A is the name under which Microsoft's Defender antivirus will detect the new threat.
What is a Webshell?
A webshell is a malicious web-based shell-like interface that enables remote access and control to a web server by allowing execution of arbitrary commands. Previously, this type of backdoor has been seen used within the Payment Card environments, where attackers would gain access to compromised e-commerce servers and exfiltrate information using tools and techniques employed whilst actively using the webshell as the enabling capability.
So, why do the attackers do this? It saves effort by leveraging existing compromised servers with HAFNIUM web shells and using them as a foothold into networks. It is a lot easier to scan the internet (reconnaissance), find one of the thousands of exposed Exchange servers, gain access to the web shell, then move to a hands-on keyboard attack to move laterally within the environment, exfiltrate sensitive data, and deploy ransomware. This is a much faster path to profit as it saves the first step of initial compromise of your victim.
What can we do to prevent, detect, and react to DearCry?
Prevention requires patching and removing any web shells from your Exchange servers. A number of scripts exist to find them but we recommend the script below. Note, it has also been seen that Defender is now detecting this tool as a web shell also.
Detection “should” be taken care of by your endpoint security tool. But not all are up to scratch and if the threat actors up their level of sophistication they may incorporate AV bypass techniques or more likely simply disable detection tooling! To prevent this in your environment where Microsoft Defender is deployed, we strongly recommend enabling Tamper Protection.
Leveraging the power of Azure Sentinel and Microsoft Defender, we can create custom rules to detect the initial stages of DearCry deployment by monitoring for the “msupdate” service creation. The following is rough and quick custom detection that can be seen as a “back stop” or “last chance detection”.
In theory, Microsoft Defender detects DearCry as “Ransom:Win32/DoejoCrypt.A – ‘DearCry’” but, if the threat actors change their variant so that it bypasses detection, we can still detect based on their techniques instead. Or, if you do not have tamper protection enabled it is possible the threat actor may disable your anti-virus entirely. We also realise techniques could change, do this rule should be seen as a short-term detection to give visibility until you are able to patch.
Summary and IOC
If you haven’t already patched your systems, please do so right away and search your systems for signs of compromise.
Malwarebytes detects web shells planted on comprised Exchange servers as Backdoor.Hafnium. When the ransomware was still unknown, DearCry attacks would have been detected proactively as Malware.Ransom.Agent.Generic.
Indicators of Compromise (IOCs):
The following IOCs have been provided as assistance to your response to ascertaining if there has been a compromise to your Exchange environment:
If you need help with any deployment, investigation, or immediate incident response services please do get in touch with us to discuss this matter.