Home » Technology » Microsoft » Microsoft Exchange Servers Unpatched Targeted By Ransom

Microsoft Exchange Servers Unpatched Targeted By Ransom

Microsoft Exchange Server

The serious security gap in Microsoft Exchange servers, which has made thousands of users vulnerable worldwide, is now also being exploited by a new blackmail trojan. The problem is, many companies haven’t acted yet.

According to a report by Bleeping Computer, the new ransomware “Epsilon Red” is currently targeting unpatched Microsoft Exchange servers. The new blackmail trojan exploits vulnerabilities in Microsoft Exchange servers to encrypt computers in the network.

Attack on unpatched Microsoft Exchange servers

The team at cybersecurity company Sophos recently discovered the new ransomware while investigating an attack on a major US hospitality company. The attackers may have exploited the ProxyLogon vulnerabilities to reach computers in the network.

The ProxyLogon errors became widely known as hackers took the opportunity and began scouring the internet for vulnerable devices and compromising the systems. Was this world of alerting authorities to the security problem. The Federal Office for Information Security (BSI) published a warning in March. It said: “The situation is serious. We have thousands of open systems in Germany that have not been secured and are still open to attackers.” However, not much has changed since then; many companies have not updated their servers.

Non Serious Attitude

Around 92 percent of the vulnerable Microsoft Exchange servers have already received the update, according to Microsoft. The rest are now targeted by cybercriminals. The newly discovered Trojan has a few tricks on it – it deactivates Windows Defender, among other things, in order to be able to cause damage unnoticed.

Epsilon Red is written in Golang (Go) and has a number of unique PowerShell scripts that prepare the ground for the file encryption routine, each serving a specific purpose.

Among others:

  • Processes and services for security tools, databases, backup programs, Office apps, e-mail clients stopped
  • Volume shadow copies deleted
  • Stolen SAM (Security Account Manager) file containing password hashes
  • Windows event logs deleted
  • Windows Defender disabled
  • Security tools uninstalled (from Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)

After breaking into the network, the hackers reach the computers via the remote desktop protocol and use Windows Management Instrumentation to install software and run PowerShell scripts that ultimately deploy the Epsilon Red ransomware and encrypt the attacked system.

Read More: Foxconn Refused To Pay $34.5 Million In A Recent Ransomware Attack

Sophos researchers found that the threat actor also installed a copy of Remote Utilities – commercial software for remote desktop operations – and the Tor browser. This step is to make sure you still have a door open if you lose access through the original entry point.