BlackKingdom ransomware attacking Microsoft Exchange servers via ProxyLogon vulnerabilities

Patching the bugs will not remove a hacker who has already compromised a server, according to Microsoft

A new ransomware campaign known as 'BlackKingdom' appears to exploiting Microsoft Exchange Server ProxyLogon vulnerabilities to deploy ransomware on vulnerable servers.

In a series of tweets posted on Sunday, security researcher Marcus Hutchins from MalwareTechBlog claimed that he left honeypots to lure attackers and caught someone running a script on his Exchange servers.

Honeypots are sacrificial computer systems with known security vulnerabilities that are exposed on the Internet to attract cyber attacks. Such honeypots can help cyber security experts to monitor activities of cyber groups.

According to Hutchins, BlackKingdom ransomware operators ran a malicious script on all of his vulnerable Exchange servers via ProxyLogon vulnerability, although it failed to encrypt files and just dropped a ransom note to every directory.

Hutchins said that the "script downloads an executable file and attempts to push it out to all systems on the network".

"The executable is py2exe, and if run successfully looks like this. Seems to be total skidware and it's unclear how many systems it successfully ran on, if any."

"BlackKingdom switching from actual ransomware to scareware which claims your files were uploaded would suggest the ransomware wasn't working well. The bitcoin address appears to be static, and so far they've received only 1 payment in 3 days."

While BlackKingdom failed to encrypt files stored on Hutchins' honeypots, the ransomware has successfully encrypted other victim's devices, according to ransomware identification site ID Ransomware.

Michael Gillespie, the developer of ID Ransomware, told BleepingComputer that his system has received over 30 unique BlackKingdom ransomware samples from victims in the USA, UK, Canada, France, Israel, Germany and other countries.

In those attacks, the ransomware encrypted files using random extensions and created a ransom note named decrypt_file.TxT.

But on Hutchins' systems, the ransom note was named ReadMe.txt and had slightly different text.

BlackKingdom is now the second ransomware strain that has been confirmed to be exploiting the ProxyLogon vulnerabilities in Exchanger servers. DearCry ransomware was the first to use those bugs in a limited number of attacks earlier in the month.

On Monday, Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), warned organisations that thousands of Exchange email servers were still vulnerable to attacks by hackers even after applying patches.

Microsoft issued a fix for the bugs about three weeks ago, but warned that patching won't remove a hacker who had already compromised a server.

Microsoft said that the four bugs, indexed as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, affect Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

The company said that a highly sophisticated, China-based state-sponsored threat actor, dubbed Hafnium, was exploiting the flaws to launch attacks.

Security researcher Brian Krebs then claimed that at least 30,000 organisations across the United States had been compromised through these vulnerabilities.

Cyber security firm ESET also said earlier this month that it had evidence suggesting that at least 10 hacker groups were exploiting bugs in Microsoft Exchange Server to infiltrate computer systems across the globe.

Winnti Group, LuckyMouse, Tick, and Calypso cyber groups were among the groups exploiting the flaws, according to ESET.