CCCS: DearCry Ransomware 'Leveraged' to Exploit Microsoft Exchange Vulnerabilities

Canadian computer networks were severely impacted when Microsoft’s Exchange email service was hacked earlier this month, according to the Canadian Centre for Cyber Security (CCCS).

The agency's website also stated that a new ransomware variant, known as DearCry, is currently being "leveraged by actors exploiting the recently disclosed Exchange vulnerabilities."

"These vulnerabilities are being leveraged to gain a foothold within an organization’s network for malicious activity which includes but is not limited to ransomware and the exfiltration of data," the update read.

The initial hack was announced by Microsoft corporate vice president Tom Burt in a blog post from earlier this month, as Burt had expressed that the company discovered major vulnerabilities in its Exchange software. Microsoft credited the Chinese outfit Hafnuim as the hacking group responsible for the attack.

Although Hafnuim may be based in China, Burt says that it "conducts its operations primarily from leased virtual private servers (VPS) in the United States."

In response to the attack, Microsoft released several security update "patches" for various versions of Exchange, including older and out of date versions.

At this time, Microsoft is strongly encouraging Exchange Server customers to apply the newly released updates immediately. According to the blog post, "exchange Server is primarily used by business customers, and we have no evidence that Hafnium’s activities targeted individual consumers or that these exploits impact other Microsoft products."

Over 20,000 US Organizations Affected in Microsoft Exchange Hack

In the US, at a March 5th press conference, White House Press Secretary Jen Psaki claimed that the hack could have "far-reaching impacts."

"We are concerned there are a large number of victims, and are working with our partners to understand the scope of this, so it’s an ongoing process," Psaki told reporters.

But even in the early stages of that process, a US government insider was able to pass along to Reuters that more than 20,000 U.S., organizations have been compromised in the breach.

On Twitter last week, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs, called the breach a "crazy huge hack."

This is a crazy huge hack. The numbers I've heard dwarf what's reported here & by my brother from another mother (@briankrebs). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg

— Chris Krebs (@C_C_Krebs) March 6, 2021

Krebs also made a point to say that anyone that thinks that they may have been affected should patch "if you haven’t already."