The SolarWinds hack, promptly followed by the Microsoft Exchange compromise, created a cocktail of fear for companies and urgency for bad actors.
But the mad dash to patch — or exploit — a widely accessible vulnerability is nothing new.
The race to patch comes every Tuesday, while bad actors decompile patches as companies update their systems. "You'll see what is in a fix in a patch is now showing up as a proof of concept exploit in something like Metasploit," a framework for finding vulnerabilities, said Chris Hallenbeck, CISO of the Americas at Tanium.
Security experts anticipated cybercriminal activity to mooch off the nation-state activity within Exchange. Bad actors have figured out what's needed to target Exchange, resulting in early incidents of DearCry ransomware. Even if companies issued early Exchange patches, they're tasked with finding intrusions that took place prior to the updates.
Microsoft released a one-click Exchange On-premises Mitigation Tool (EOMT) on Monday to address the ProxyLogon vulnerabilities. EOMT was designed for organizations without a dedicated security team to apply updates, the company said in a tweet.
"We are anticipating more exploitation of the Exchange vulnerability by ransomware actors in the near term," said John Hultquist, VP of intelligence analysis at Mandiant Threat Intelligence, in a statement on Friday. Ransomware cybercriminals "may pose a greater risk." The Exchange vulnerabilities provide bad actors an "especially efficient means of gaining domain admin access," he said.
Using popular tools creates a broad attack service. When a widespread threat is underway, if companies can shift some of their security responsibility to the cloud, as a CISO, "I'm going to do that," said Hallenbeck.
What's DearCry all about
At this point none of the larger threat groups have gotten involved in secondhand Exchange exploitation, said Mark Loman, director of the engineering technology office within Sophos.
The opportunity, however, is there.
"It's easy to point a finger and demonize one nation -state over another … But let's face it, there have been toolkits from other friendly countries that have also gotten out there" and become wormable, said Hallenbeck. Such was the case with the National Security Agency-created EternalBlue exploit, which led to 2017's WannaCry and NotPetya attacks.
While DearCry is likely a prototype, created in haste in reaction to the Exchange news, it takes the best components of ransomware, according to research from Sophos. DearCry has a "rare" hybrid encryption behavior only previously seen in WannaCry, where the strain deploys copy and in-place encryption. However, DearCry is human operated while WannaCry was automated.
In-place encryption has the encrypted data "written back on the exactly the same position on the disk," essentially erasing any hope for recovering originals, said Loman. Upon completing a copy attack, and after it encrypts and deletes the file, DearCry "starts to overwrite the original file as well with rubbish data; so that makes recovery impossible." Most ransomware strains don't follow a copy attack with an in-place attack.
DearCry and WannaCry actors focus on outdated software, but the compression time between a vulnerability disclosure and the creation of malware was vastly different. EternalBlue was leaked in April, about a month prior to the WannaCry ransomware spread in 2017; DearCry was launched in days.
The broad adoption of Exchange, maturity of ransomware and DearCry's use of copy and in-place attacks could combine for higher payouts for threat groups. Ransomware groups could also upcycle the strain's tactics, techniques and procedures (TTPs).
One of the recorded DearCry incidents on ransomware strain identification site ID-Ransomware said the actors asked for $16,000 — a relatively small sum compared to what prolific strains ask for now. Because there's no obfuscation, Sophos suspects the current iteration is in its infancy.
"It's worth a walk in the park for security people to tag this," said Loman. "That's also one of the reasons why we actually don't see widespread service impacted with it."
Microsoft said Ransom:Win32/DoejoCrypt.A is detectable with Microsoft Defender, thwarting DearCry infection. "This is part of that cat and mouse piece that people need to understand," said Hallenbeck. Even with the latest versions of antivirus, "you have to get the latest version in order to get protection from a concept of ransomware that's been around how many years now?" he said.
If that was the case, antivirus solutions should be able to catch reused ransomware behaviors, even with emerging strains.
Until DearCry is adopted by more sophisticated ransomware operators, the strain will likely die out as companies mitigate Exchange vulnerabilities, according to Loman.
Companies are working to uncover lingering access while patch administration is still underway. The federal government is still working to determine how many systems are susceptible to Exchange vulnerabilities, and subsequent ransomware threats, said National Security Adviser Jake Sullivan, during a White House briefing Friday.
"It is certainly the case that malign actors are still in some of these Microsoft Exchange systems, which is why we have pushed so hard to get those systems patched, to get remediation underway," said Sullivan.
Assessing SolarWinds and Exchange damages is dependent on a company's ability to issue timely patches and threat intelligence to hunt down lingering intrusions.
"The problem is if the bad guys got in the door before you did the patch, you still have a problem on your machine that you don't know about," said Hallenbeck. "I couldn't hope to have an analyst manually going through systems looking for things all the time."
The cloud won't shield a company from exploitation, but it does make patching easier. When a large-scale vulnerability arises, cloud providers will likely resolve the situation more quickly than companies running their own in-house solutions.
Assuming a company knows they have SolarWinds Orion in its environment, threat intelligence can then search for indicators, including specific IP addresses or hashes of files. However, in the Exchange hack, it's no longer relegated to one threat actor, as is the case with DearCry operators using the ProxyLogon remote code execution exploit in Exchange.
"There's a high degree that these updates actually fail. And since an Exchange server is a core capability of any of a business, these servers are not really often patched," said Loman. For large businesses, there's vast opportunity for espionage once an exploit is successfully taken advantage of — even after patching.
But if a company still has a ProxyLogon-vulnerable server, and DearCry hits, it's safe to assume the company has "lost the Exchange server," said Loman.