If you had to name a piece of software cybercriminals look to target, Microsoft’s Exchange Server would surely be near the top of the list.
To its huge user base, it’s the perfect DIY in-house email system that has dovetailed with Microsoft’s ecosystem since the 1990s. To criminals, including ransomware criminals, it’s become tempting prey with a bright target on its back.
Recently, there’s been a striking uptick in ransomware attacks on Exchange servers. The latest example is a Microsoft warning that a BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) affiliate has recently taken to breaching organizations through unpatched Exchange servers.
The server itself is merely a convenient bridgehead after which the attackers attempt to move laterally to steal data. The end result is the now standard mixture of data encryption and double extortion where ten attackers threaten to publish exfiltrated files.
In April, the FBI put out a warning about BlackCat being used to target at least 60 organizations. Elsewhere, Exchange has been spotted as a common denominator in many other ransomware incidents, including:
- Attacks by the Babuk ransomware in the second half of 2021
- The Cuba ransomware attacks made public in February 2022
- AvosLocker RaaS affiliate attacks in February 2022 publicized by the FBI
- Attacks targeting Exchange by a Hive RaaS affiliate in April 2022
There are many more, as this list is really a flavor of what has been going on. But why has Exchange become so popular in attacks?
Attacking Exchange is not new. After all, it is hugely popular, not to mention that, as with RDP, compromising it opens a big back door into any organization. But a discovery in March 2021 turned the Exchange amplifier dial up to 11.
This was the infamous sequence of zero-day vulnerabilities collectively known as ProxyLogon (CVE-2021-26855). Exploited by the Chinese Hafnium group, these gave attackers the holy grail of remote code execution through port 443 on versions of Server from 2013 onwards.
This was followed a few months later by three chained vulnerabilities nicknamed ProxyShell by the researcher who discovered them, plus a further batch around the same time called ProxyOracle.
That’s a lot of vulnerabilities in short order. Microsoft doesn’t specify the vulnerability being targeted in the latest BlackCat attacks, but it’s reasonable to assume ProxyLogon and ProxyShell are involved.
Why has this become such an issue?
Some Companies Are *Still* Not Patching
The simplest explanation is that a hardcore minority pays little heed to patching. A clue to this is the number of organizations regularly found to be running old versions such as Exchange 2007 and 2010 that no longer receive security updates at all.
These aren’t affected by the 2021 round of vulnerabilities, but they describe an attitude to software that is still prevalent. This will never change until the last on-premises Exchange Server is finally turned off at some point in the distant future.
“In the long run we’re all dead,” the economist John Maynard Keynes famously quipped. Meanwhile, we must somehow find a good way to live in the present.