Microsoft Exchange servers now targeted by BlackKingdom ransomware

[mood]

Microsoft Exchange servers now targeted by BlackKingdom ransomware

 

Another ransomware operation known as 'BlackKingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers.

 

Over the weekend, security researcher Marcus Hutchins, aka MalwareTechBlog, tweeted that a threat actor was compromising Microsoft Exchange servers via the ProxyLogon vulnerabilities to deploy ransomware.

 

Based on the logs from his honeypots. Hutchins states that the threat actor used the vulnerability to execute a PowerShell script that downloads the ransomware executable from 'yuuuuu44[.]com' and then pushes it out to other computers on the network.

 

Honeypots are devices with known vulnerabilities exposed on the Internet to lure attackers and monitor their activities. Hutchins' honeypots, though, did not appear to become encrypted, and the attack he witnessed was believed to be a failed campaign.

 

Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz

— MalwareTech (@MalwareTechBlog) March 21, 2021

 

However, based on submissions to ransomware identification site ID Ransomware, the BlackKingdom campaign has encrypted other victim's devices, with the first submissions seen on March 18th.

 

Michael Gillespie, the creator of ID Ransomware, told BleepingComputer that his system has seen over 30 unique submissions to his system, with many being submitted directly from mail servers.

 

Victims are located in the USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.

 

When encrypting devices, the ransomware will encrypt files using random extensions and then create a ransom note named decrypt_file.TxT, as shown below.

 

BlackKingdom ransom note

 

The ransom notes seen by BleepingComputer all demand $10,000 in bitcoin and use the same Bitcoin address (1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT) for payment. This Bitcoin address has received only one payment on March 18th, which has since been transferred to another address.

 

Another ransomware known as BlackKingdom was previously used in attacks in June 2020 when corporate networks were compromised using Pulse VPN vulnerabilities.

 

While it has not been confirmed if the recent attacks and the ones from the summer of 2020 are using the same ransomware, Hutchins states that the current ransomware executable is a Python script compiled into a Windows executable. The BlackKingdom ransomware from June 2020 was also coded in Python.

 

BlackKingdom is the second confirmed ransomware targeting the Microsoft Exchange ProxyLogon vulnerabilities. The first was the DearCry ransomware that was used in limited attacks earlier in the month.

 

Recently, leading electronics maker Acer also suffered a REvil ransomware attack that is suspected of having been conducted through ProxyLogon vulnerabilities. However, this has not been confirmed.

 

 

Source: Microsoft Exchange servers now targeted by BlackKingdom ransomware

[aum]

Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

 

 

More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting on-premises Exchange servers, the company disclosed that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities.

 

The development, a 43% improvement from the previous week, caps off a whirlwind of espionage and malware campaigns that hit thousands of companies worldwide, with as many as 10 advanced persistent threat (APT) groups opportunistically moving quickly to exploit the bugs.

 

According to telemetry data from RiskIQ, there are roughly 29,966 instances of Microsoft Exchange servers still exposed to attacks, down from 92,072 on March 10.

 

While Exchange servers were under assault by multiple Chinese-linked state-sponsored hacking groups prior to Microsoft's patch on March 2, the release of public proof-of-concept exploits fanned a feeding frenzy of infections, opening the door for escalating attacks like ransomware and hijacking web shells planted on unpatched Microsoft Exchange servers to deliver cryptominers and other malware.

 

 

"To make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server," cybersecurity firm F-Secure noted in a write-up last week.

 

In the weeks since Microsoft first released its patches, at least two different strains of ransomware have been discovered as leveraging the flaws to install "DearCry" and "Black Kingdom."

 

Cybersecurity firm Sophos' analysis of Black Kingdom paints the ransomware as "somewhat rudimentary and amateurish in its composition," with the attackers abusing the ProxyLogon flaw to deploy a web shell, utilizing it to issue a PowerShell command that downloads the ransomware payload, which encrypts the files and demands a bitcoin ransom in exchange for the private key.

 

"The Black Kingdom ransomware targeting unpatched Exchange servers has all the hallmarks of being created by a motivated script-kiddie," Mark Loman, director of engineering at Sophos, said. "The encryption tools and techniques are imperfect but the ransom of $10,000 in bitcoin is low enough to be successful. Every threat should be taken seriously, even seemingly low-quality ones."

 

The volume of attacks even before the public disclosure of ProxyLogon has prompted experts to investigate if the exploit was shared or sold on the Dark Web, or a Microsoft partner, with whom the company shared information about the vulnerabilities through its Microsoft Active Protections Program (MAPP), either accidentally or purposefully leaked it to other groups.

 

Source