There are growing concerns that more unpatched Microsoft Exchange servers could be compromised in ransomware attacks after Check Point revealed major recent surges in ProxyLogon attacks and ransomware.
The security vendor claimed in new figures released today that it has detected a 57% increase in ransomware attacks over the past six months, with the number of affected organizations growing by 9% each month so far in 2021.
Human-operated variants such as Maze and Ryuk have been particularly prevalent over the period, with the US (12%), Israel (8%) and India (7%) the most affected countries.
Amazingly, WannaCry is trending again, four years after it caused global panic. Still using EternalBlue to propagate, the worm affected 53% more organizations in March than the start of the year.
At the same time as the continued surge in ransomware, Check Point has seen the number of attacks exploiting the ProxyLogon vulnerability to attack Exchange servers triple over the past week alone.
The most affected sectors are government/military, manufacturing and banking/finance, with the nearly half (49%) of all exploit attempts in the US, followed by the UK (5%), the Netherlands (4%) and Germany (4%).
Microsoft was the first to warn users that vulnerable Exchange endpoints could be hijacked by attackers to deploy ransomware. The DearCry variant was spotted doing so in the wild.
A few days later Sophos detected Black Kingdom ransomware being deployed in a similar way.
“The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065),” it said. “After successfully breaching the Exchange server, the adversary delivered a webshell. This webshell offers remote access to the server and allows the execution of arbitrary commands.”
The acting director of the Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales, has also urged Exchange server administrators to patch now or risk the same fate.
Check Point stopped short of linking the two trends, but joined the chorus of voices calling for urgent action to patch the remaining Exchange servers vulnerable to ProxyLogon.
“Although we have not concluded that the two trends are directly related just yet, there is reason for concern. We do believe the Microsoft Exchange vulnerabilities opened up another door into organizations. And so, Check Point Research is also raising the alarm bells, just like CISA has,” said threat intelligence manager, Lotem Finkelsteen.
“We’re urging organizations to act now, before ransomware gangs make Exchange exploits popular. In cybercrime, we rarely see businesses that demonstrate constant growth, or rapid adjustments to changing factors, as well as quick adoptions of new technologies. Ransomware is one of those rare businesses.”