DearCry takes down ProxyLogon

Microsoft has confirmed that a new strain of ransomware is targeting vulnerable on-premise Microsoft Exchange Servers through the dangerous ProxyLogon vulnerabilities

Ransom:Win32/DoejoCrypt.A or DearCry, was being deployed with initial compromise through Exchange Server. It said users of Microsoft Defender who are receiving automatic updates should not need to take action, but on-prem Exchange users should prioritise the updates it has made available.

With more and more malicious actors piling in on the ProxyLogon vulnerabilities, the arrival of ransomware gangs was only a matter of time, and many observers had already predicted this would happen.

DearCry seems to have surfaced earlier in the week appears a reasonably run-of-the-mill ransomware, but notably appears to contain no flaws that would enable victims to decrypt their data for free.

The ProxyLogin vulnerability highlights that organisations should never be complacent where their security is concerned as the nature of zero-day vulnerabilities is such that you may have a vulnerability assessment completed today and still be the victim of an attack exploiting a new vulnerability that is discovered tomorrow.

The number of potential victims with vulnerable servers continues to spike, even as patching efforts ramp up. New data supplied to Computer Weekly by researchers at Spyse suggests that at the time of writing, it may be as high as 283,000, with only 26% of at-risk installations patched.

Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious code inside your organisation with high privileges.

Attackers have been known to exploit this zero-day for a while before the patch has been released, and with the PoC now available publicly, albeit with some code bugs, there are bound to be some attackers who will adopt this to their toolset to launch an attack.