Advertisement

Patching is trucking along on Microsoft flaws, but hackers are still meddling

Ransomware hackers and cryptominers are still active.
Microsoft
(David Ramos/Getty Images)

Over 92% of servers that were vulnerable to recently announced Microsoft flaws have been patched or mitigated around the world, Microsoft announced Thursday.

The statistics are no doubt good news, as security researchers have tracked hackers from China exploiting systems and warned of an onslaught of ransomware attackers trying to take vulnerable organizations for a ride and extort them for money.

The percentage comes amid a series of other rosy assessments on the number of vulnerable systems that remain. Less than a week ago the White House noted that in the week prior the number of vulnerable machines fell by 45%. But the revelations about high percentages of patching don’t speak to the number of organizations that hackers have already been able to exploit.

Patching, while extremely helpful in warding off future hacking, does not evict hackers if they already exploited the vulnerabilities.

Advertisement

Already criminal and nation-state hackers have taken advantage. In some cases hackers have focused on deploying web shells against targets, credential theft or stealing data from targets. In recent days hackers seeking to exploit the Exchange Server bugs have been using a slate of ransomware strains against targets in an effort to demand ransoms or extort victims for financial gain, just as security researchers warned would happen.

Hackers have deployed Pydomer ransomware against approximately 1,500 targets, demanding $10,000 in bitcoin from targets, Microsoft notes. DoejoCrypt ransomware is also being used alongside a variant of the Chopper webshell and Cobalt Strike, a penetration testing tool that can be used to log keystrokes, according to Microsoft’s blog on the latest patching numbers.

Lemon Duck, a cryptocurrency botnet, has also been exploiting victims in recent days, in some cases working to root out other attackers on the system and to mitigate one of the zero-day flaws recently exposed, CVE-2021-26855. This action could give them exclusive access to the victim, according to Microsoft.

“[T]hese threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible,” Microsoft notes in the blog.

Not all of the ransomware operations appear to be well-oiled. The suspected operators behind Pydomer, the so-called Black Kingdom hackers, have not triggered the ransomware in each case, according to Microsoft.

Advertisement

In some cases, hackers who have compromised vulnerable systems have not yet run followup attacks, suggesting that they may be safeguarding stolen credentials or data to later compromise networks in another way, Microsoft warned.

“Attackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could,” Microsoft states. “Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.”

Microsoft recommends investigating Exchange servers for compromise, even if they have been patched, looking for web shells, resetting credentials on compromised systems and randomizing local administrator passwords. The company also suggests being on alert for changes to the Windows Remote Management configuration of the system to see if hackers worked to maintain persistence, other persistence mechanisms and indications that hackers cleared logs to try concealing their activities.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts