Botnet operators, ransomware scammers the latest groups to pounce on Exchange Server bugs

What started as a reported Chinese spying operation has devolved into an opportunistic romp for criminals.
(Getty Images)

The floodgates appear to be open on critical bugs in Microsoft software as a predictable bevy of scammers — from a ransomware actor to cryptocurrency conmen — have flocked to vulnerable email servers.

The new incidents make clear that what started as a reported China-linked spying operation to steal data from the Microsoft email program has devolved into an opportunistic romp for criminals.

The number of attempts to exploit the email software program, known as Exchange Server, doubled every two to three hours over the course of 24 hours, Israeli security firm Check Point said Thursday. Government organizations, along with manufacturing and financial firms, were the top sectors targeted. The researchers cautioned, however, that they have yet to see intrusions that successfully string all of the vulnerabilities together.

At least one ransomware actor has now entered the fray.


Microsoft said late Thursday that crooks were using a new family of ransomware, dubbed DearCry, after breaking into organizations with the vulnerable email servers. But rather than a large-scale event, just a handful of servers in Australia, Canada and the U.S. appeared to be affected by the new ransomware strain as of Thursday, according to researcher Michael Gillespie.

Operators of botnets — the hordes of compromised computers used for spamming — also see an opportunity in the vulnerable email servers. The people behind the cryptocurrency-mining botnet known as Lemon Duck, active since 2018, have been conducting mass scanning for vulnerable servers and in some cases successfully exploited them, Costin Raiu, a researcher at anti-virus firm Kaspersky, said Friday.

Microsoft has urged organizations to apply security updates, while also providing fixes for older, unsupported versions of Exchange Server. But security experts warned last week that tens of thousands of U.S. state and local and businesses could be vulnerable to the hacking. Multiple security firms have released detection tools to mitigate the intrusions, and some researchers are working late hours to help resource-strapped organizations.

The malicious Exchange Server activity has also prompted high-level meetings of the Biden administration’s National Security Council, and an emergency directive from the Department of Homeland Security for federal civilian agencies to address the issue. So far, none of those  agencies have been compromised in the Exchange Server hacks, according to DHS cybersecurity officials.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts