Chinese state-sponsored threat actors known as Hafnium were the first to exploit the vulnerabilities. Security experts warned that more threat actors were bound to exploit the now-patched vulnerabilities, amidst news of ESET identifying over 5000 compromised exchange servers.
It’s now being reported that several users from the US, Canada and Australia, have submitted details about the DearCry ransomware being planted on their Exchange servers.
- Here are the best firewall apps and services
- Check out our roundup of the best identity theft protection tools
- These are the best password recovery services right now
No end in sight
The details come from Michael Gillespie, who runs the ransomware identification site ID-Ransomware. On March 9 he noted the new submissions, which upon review revealed that they all were from Microsoft Exchange servers.
On the same day, a user on BleepingComputer’s forum boards shared details about the same DearCry ransomware attack on his Exchange servers using the now infamous Hafnium vulnerabilities.
Microsoft has now confirmed that the Exchange server vulnerabilities are indeed being exploited in human-operated attacks to deploy the DearCry ransomware. Human-operated attacks are more personalized and directed and conducted by humans who compromise a system’s security manually, instead of using a worm for mass attacks.
In a shocking revelation, Palo Alto Networks told BleepingComputer that while thousands of Exchange servers have been patched over the last few days, there are about 80,000 installations that are too old to directly apply the patches.
They also urge organizations to check their systems for signs of compromise even if they have applied the patches since they believe the attackers had a free run for months before the vulnerabilities were fixed.
- Protect your devices with these best antivirus software