Ransomware gangs continue to hit Exchange Servers. A look into Hades. Cyberattacks hit English schools.

At a glance.

• Ransomware hits vulnerable Exchange Servers.
• A trip across the Styx.
• Data-threatening cyberattacks hit English schools.

New threat groups prey on Microsoft Exchange server vulnerabilities.

The recently discovered vulnerabilities in Microsoft Exchange servers continue to be targeted by threat actors, and Security Week reports that, despite patches being released earlier this month, additional threat groups and botnets are seeking to exploit the weaknesses. Microsoft detected mass scanning from the Black Kingdom/Pydomer ransomware gang, probing for unpatched Exchange servers, and the gang dropped a webshell that was detected on fifteen hundred servers. Though ransomware wasn’t deployed on all of the machines, the gang might be planning to take advantage of the unauthorized access in some other way. Where they did deploy ransomware, they did not encrypt data, but left ransom notes threatening to publish exfiltrated data. Microsoft also found that the threat group behind the Lemon Duck cryptocurrency botnet has been attempting to take advantage of the issues: “While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.” Microsoft reports that the number of unpatched installations decreased from about 80,000 on March 14 to under 30,000 on March 22, and that 92% of Exchange IPs globally were patched or mitigated. But the company warns that Exchange server attacks could continue even after patches have been applied, as threat actors might use stolen credentials or capitalize on persistent access.

Purandar Das, CEO and Co-Founder of Sotero, commented on how the attack vector persists and extends through many targets: “What is being observed is the long tail of the attack vector. Copycats attacks and attempts to identify and access adjacent vulnerabilities will continue. Let’s also keep in mind that this relates to the actual method of access. The attempts to monetize the stolen information or hold organizations hostage will continue for a longer period of time. The stolen information may also change hands as its perceived value decreases. This will lead to new attempts at extortion.”

A journey into Hades’ underworld.

First detected last December, Hades ransomware predominantly targets larger, more lucrative organizations, some of which are multinationals raking in more than $1 billion annually. A team of researchers from cybersecurity firms CrowdStrike, Accenture, and Awake Security have conducted a deep investigation of the malware, and Security Week details their findings. Hades capitalizes on a double-extortion approach, both encrypting data and exfiltrating it, then threatening to leak it to the public if their ransom demands go unmet. Targeted industries include transportation and logistics, consumer products, and manufacturing and distribution. The hackers typically use legitimate credentials to gain access to internet-facing systems via Remote Desktop Protocol or Virtual Private Network, then deploy Cobalt Strike and Empire implants. A personalized Tor site is created for each victim, designed to facilitate Tox peer-to-peer instant messaging to discuss decryption and ransom negotiations. Ransom demands range from $5 to $10 million. Awake notes that strangely, when Hades has published victim data, they usually refrain from posting the most sensitive information: “Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?” It’s unclear exactly which threat group is behind Hades. Awake has found connections with China-based Hafnium, while CrowdStrike says Hades shows multiple code similarities with WastedLocker, a piece of ransomware attributed to Evil Corp last year.

UK schools experience continued surge in cyberattacks.

BBC News reports that the Harris Federation, a multi-academy trust that manages fifty primary and secondary schools around London, was hit by a cyberattack that forced administrators to disable the email and landline phone systems. One of England’s largest academy trusts, the Harris Federation is the fourth to experience an attack this month alone. According to a statement on the trust’s site, “This is a highly sophisticated attack that will have a significant impact on our academies but it will take time to uncover the exact details of what has or has not happened, and to resolve.” According to Schools Week, the trust has hired a team of cybersecurity consultants and is working closely with the National Crime Agency and National Cyber Security Centre to investigate. Though not yet confirmed, Bleeping Computer reports that some cybersecurity experts suspect the REvil ransomware operation could be to blame. 

Also in England, King Henry VIII School in Coventry fell prey to international ransomware group Pysa, CoventryLive reports, and the threat actors have already posted stolen data online. Law enforcement and the Information Commissioner’s Office have been notified. The US Federal Bureau of Investigation recently warned of a rise in Pysa attacks, and South and Central College in Birmingham already suffered an attack at the hands of this ransomware gang earlier this month. 

Comments are closed.