Exchange Week 2 – Ransomware Joins The Fray

Following exposure and publication of a major remote execution vulnerability like Exchange’s ProxyLogon (CVE-2021-26855), we expect other threat actors to join the race against system administrators trying to patch their systems.

Initial reporting showed the threat actor dubbed HAFNIUM were quietly exploiting these vulnerabilities since at least January 2021. Following the release of patches and responsible disclosure by Volexity that followed, it was reported that up to 10 threat actors had begun actively attacking unpatched servers across the world.

AppSec/API Security 2022

Today we have confirmation that a NEW Ransomware variant was unleashed utilizing the Exchange ProxyLogon exploit.

The earliest report of this malware appears to be from 9 March in the BleepingComputer forum where the MalwareHunterTeam confirmed it’s novelty and relatively limited early distribution thus far.


Most Important: Patch your Microsoft Exchange exposed servers.

Regardless of when you patched, you need to assume you were compromised. The threat actors threw internet-wide scans across the world exploiting exchange servers enmass following disclosure last week. Some of these left silent backdoors waiting to be exploited following the application of patches – we should assume some of these will be used to deliver ransomware in the future.

Post exploit detection can be done effectively using Infocyte’s WebShell and Hafnium scanner which consolidates all-source threat intelligence and recommendations from Microsoft. Combined with our much more sophisticated rootkit and implant detection capabilities, it is the most comprehensive threat hunt you can perform on your exchange servers and surrounding systems.

Sign up today for a free guided assessment of your systems — our team is available to assist anyone going through an exchange-related breach.

Infocyte Team

The post Exchange Week 2 – Ransomware Joins The Fray appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at:

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz