Threat Signal Report

Campaigns Leveraging Recent Microsoft Exchange Server Vulnerabilities to Install DoejoCrypt/DearCry Ransomware Observed in the Wild

Description

FortiGuard Labs is aware of multiple reports of a new malware campaign where threat actors are leveraging known vulnerabilities in Microsoft Exchange Server to install ransomware. The ransomware has been identified as DoejoCrypt/DearCry.


The vulnerabilities exploited are related to the recent out of band release by Microsoft on March 2nd, which culminated in the release of patches for four CVE's, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source. From there, the threat actors are able to install malware on the victim environment for further compromise. For further details about the Exchange Server vulnerability, please refer to our Blog and Threat Signal respectively.


What are the Technical Details of this Threat?

The ransomware uses AES-256 encryption during the encryption routine to encrypt the files and then uses an RSA-2048 key to encrypt the AES key for further damage. Files will have the string DEARCRY! found at the beginning of the file header added during encryption.


The ransomware will target the following file extensions for encryption:


.7Z

.APK

.APP

.ASPX

.AVI

.BAK

.BAT

.BIN

.BMP

.C

.CAD

.CAD

.CER

.CFM

.CGI

.CONFIG

.CPP

.CSS

.CSV

.DAT

.DB

.DBF

.DLL

.DOC

.DOCX

.DWG

.EDB

.EDB

.EML

.EXE

.GO

.GPG

.H

.HTM

.HTML

.INI

.ISO

.JPG

.JS

.JSP

.KEYCHAIN

.LOG

.LOG

.MDB

.MDF

.MFS

.MSG

.ORA

.PDB

.PDF

.PEM

.PGD

.PHP

.PL

.PNG

.PPS

.PPT

.PPTX

.PS

.PST

.PY

.RAR

.RTF

.SQL

.STM

.TAR

.TEX

.TIF

.TIFF

.TXT

.WPS

.XHTML

.XLS

.XLSX

.XLTM

.XML

.ZIP

.ZIPX


Once all file types have been located, the files will be encrypted with the .CRYPT extension.


Are there Reports of Free Decryption Tools Available?

No. Unfortunately there have not been any reports of decryption tools available at this time within the security community.


What is the Status of Coverage?

Customers running current (AV) definitions are protected from DoeJoCrypt/DearCry variants by the following:


W32/Filecoder.OGE!tr

PossibleThreat.ARN.H

W32/Encoder.OGE!tr.ransom

W32/Encoder!tr


Testing by FortiGuard Labs shows that default FortiEDR and FortiXDR deployments detect and block DoejoCrypt/DearCry ransomware activity out of the box.


Is this State Sponsored?

Unlikely. There are no known indicators that this is related to the threat actor known as HAFNIUM. Initial assessments appear to be unrelated and unknown threat actors at this time.


How Serious of an Issue is This?

HIGH.


How Widespread is this Attack?

Global.


Are there Patches Available for Affected Exchange Servers?

Yes. Out of Band patches were available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.


Any Other Suggested Mitigation?

According to Microsoft, to protect against this attack it is recommended to restrict untrusted connections to Exchange servers. An alternate recommendation is to set up a VPN to separate the Exchange server from external access. Using either of these mitigation recommendations will only protect against the initial portion of the attack. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.


Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.