Nguyen Jan, an independent security researcher in Vietnam, released a functional “proof of concept public vulnerability” exploit program for a group of vulnerabilities called proxylogon in Microsoft Exchange server. That is to say, he released the code that can be used by hackers to attack Microsoft customers on Microsoft’s open source platform.
Although the code cannot be “out of the box” 」， But it can be easily adjusted to become a tool for hackers.
With the continuous spread of the code, more and more hackers have found this group of vulnerabilities. Now at least 10 groups of hackers have been found attacking hundreds of thousands of servers in 115 countries and regions, including the European Banking authority, Middle East government agencies and South American government agencies.
ESET, a network security company based in Slovakia, has identified six hacking groups:
- f: Headquartered in China, the group began to exploit these loopholes in early January.
- Tick (also known as bronze Butler and red baldkknight) On February 28, two days before Microsoft released the patch, the organization used these vulnerabilities to destroy the web server of an East Asian IT service company. Since 2018, tick has been very active, mainly for organizations in Japan, but also for organizations in South Korea, Russia and Singapore.
- Lucky mouse (apt27 and emissary panda) On March 1, the cyber espionage group has destroyed a number of government networks in Central Asia and the Middle East, as well as the e-mail server of a government entity in the Middle East.
- Calypso (associated with XPath) On March 1, the group invaded the e-mail servers of government agencies in the Middle East and South America. Over the next few days, it continued to target organizations in Africa, Asia and Europe. Calypso is targeting government organizations in these areas.
- Websiic： On March 1, the apt, which the EPT had never seen before, targeted mail servers of seven Asian companies in it, telecommunications and engineering and a government agency in Eastern Europe.
- Winnti (aka apt 41 and barium): a few hours before Microsoft released the emergency patch on March 2, ESET data showed that the organization had damaged the e-mail server of an oil company and a construction equipment company both located in East Asia.
The code was deleted and the author received only one email
After sending an email to the author, Microsoft’s GitHub removed the code.
A GitHub spokesman said: “we understand that the release and distribution of proof of concept vulnerability codes has educational and research value for the security community. Our goal is to balance this interest and maintain the security of the wider ecosystem. According to our acceptable use policy, after it is reported that gist contains a recently disclosed proof of concept code that is being actively exploited, We have banned gist. “
The author said, “it’s OK to delete the code. The code he released is not” out of the box “, but needs to be adjusted. However, his code is based on the real POC, so it will be helpful for people who really study this bug. The reason for blogging is to warn you of the crux of this bug, so that they can patch their servers for the last time before danger comes! “
In fact, the author’s practice is very normal, because security researchers, including Google’s elite hacker team project zero, often publish the use code of proof of concept to show how the vulnerability is abused. The purpose of this practice is to educate other people in the community and share knowledge.
On March 2, Microsoft released Emergency out of band security update ， These updates address a total of four zero day issues (cve-2021-26855, cve-2021-26857, cve-2021-26858 and cve-2021-27065), and tens of thousands of Microsoft Exchange servers have been patched in the past three days. Unfortunately, there are still about 80000 older servers that cannot directly apply the latest security updates, so it is strongly recommended that all organizations apply the patches as soon as possible.
We can find virus total on this blackmail, 2， three ]， All of these are executable files compiled by MinGW platform. One of the analysis paths includes the following PDB paths:
When started, dearcry ransomware will try to shut down the windows service called “msupdate”. I don’t know what this service is, but it doesn’t seem to be a legitimate windows service.
Code to close msupdate service
Blackmail software began to encrypt files on the computer. When encrypting a file, it appends the. Crypt extension to the file name, as shown below.
Dearcry encrypted file
Ransomware uses AES-256 + rsa-2048 to encrypt files and add “dearcry!” word. The string at the beginning of each encrypted file.
Dearcry file mark in encrypted file
After encrypting the computer, the blackmail software will create a simple blackmail note called “readme. TXT” on the windows desktop. The ransom record contains the email addresses of the two threat actors and a unique hash, which Gillespie points out is the MD4 hash of the RSA public key.
Dearcry ransom record
Nguyen Jan, an independent security researcher in Vietnam, posted a blog post about the vulnerability: