Ransomware gangs continue to hit Exchange Servers. A look into Hades. Cyberattacks hit English schools.

Summary

By the CyberWire staff

At a glance.

Ransomware hits vulnerable Exchange Servers.
A trip across the Styx.
Data-threatening cyberattacks hit English schools.

New threat groups prey on Microsoft Exchange server vulnerabilities.

The recently discovered vulnerabilities in Microsoft Exchange servers continue to be targeted by threat actors, and Security Week reports that, despite patches being released earlier this month, additional threat groups and botnets are seeking to exploit the weaknesses. Microsoft detected mass scanning from the Black Kingdom/Pydomer ransomware gang, probing for unpatched Exchange servers, and the gang dropped a webshell that was detected on fifteen hundred servers. Though ransomware wasn’t deployed on all of the machines, the gang might be planning to take advantage of the unauthorized access in some other way. Where they did deploy ransomware, they did not encrypt data, but left ransom notes threatening to publish exfiltrated data. Microsoft also found that the threat group behind the Lemon Duck cryptocurrency botnet has been attempting to take advantage of the issues: “While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.” Microsoft reports that the number of unpatched installations decreased from about 80,000 on March 14 to under 30,000 on March 22, and that 92% of Exchange IPs globally were patched or mitigated. But the company warns that Exchange server attacks could continue even after patches have been applied, as threat actors might use stolen credentials or capitalize on persistent access.

Purandar Das, CEO and Co-Founder of Sotero, commented on how the attack vector persists and extends through many targets: “What is being observed is the long tail of the attack vector. Copycats attacks and attempts to identify and access adjacent vulnerabilities will continue. Let’s also keep in mind that this relates to the actual method of access. The attempts to monetize the stolen information or hold organizations hostage will continue for a longer period of time. The stolen information may also change hands as its perceived value decreases. This will lead to new attempts at extortion.”

A journey into Hades’ underworld.

First detected last December, Hades ransomware predominantly targets larger, more lucrative organizations, some of which are multinationals raking in more than $1 billion annually. A team of researchers from cybersecurity firms CrowdStrike, Accenture, and Awake Security have conducted a deep investigation of the malware, and Security Week details their findings. Hades capitalizes on a double-extortion approach, both encrypting data and exfiltrating it, then threatening to leak it to the public if their ransom demands go unmet. Targeted industries include transportation and logistics, consumer products, and manufacturing and distribution. The hackers typically use legitimate credentials to gain access to internet-facing systems via Remote Desktop Protocol or Virtual Private Network, then deploy Cobalt Strike and Empire implants. A personalized Tor site is created for each victim, designed to facilitate Tox peer-to-peer instant messaging to discuss decryption and ransom negotiations. Ransom demands range from $5 to $10 million. Awake notes that strangely, when Hades has published victim data, they usually refrain from posting the most sensitive information: “Did they hold back on publicly sharing the most valuable data because they had alternate means to monetize the proprietary secrets?” It’s unclear exactly which threat group is behind Hades. Awake has found connections with China-based Hafnium, while CrowdStrike says Hades shows multiple code similarities with WastedLocker, a piece of ransomware attributed to Evil Corp last year.

UK schools experience continued surge in cyberattacks.

BBC News reports that the Harris Federation, a multi-academy trust that manages fifty primary and secondary schools around London, was hit by a cyberattack that forced administrators to disable the email and landline phone systems. One of England’s largest academy trusts, the Harris Federation is the fourth to experience an attack this month alone. According to a statement on the trust’s site, “This is a highly sophisticated attack that will have a significant impact on our academies but it will take time to uncover the exact details of what has or has not happened, and to resolve.” According to Schools Week, the trust has hired a team of cybersecurity consultants and is working closely with the National Crime Agency and National Cyber Security Centre to investigate. Though not yet confirmed, Bleeping Computer reports that some cybersecurity experts suspect the REvil ransomware operation could be to blame.

Also in England, King Henry VIII School in Coventry fell prey to international ransomware group Pysa, CoventryLive reports, and the threat actors have already posted stolen data online. Law enforcement and the Information Commissioner’s Office have been notified. The US Federal Bureau of Investigation recently warned of a rise in Pysa attacks, and South and Central College in Birmingham already suffered an attack at the hands of this ransomware gang earlier this month.

Selected Reading

FSMI demands probe into MobiKwik data breach (Hindu Businessline) The Free Software Movement of India (FSMI) has asked the Indian Computer Emergency Response Team (CERT-IN) to initiate an inquiry into the alleged breach of data of about 10 crore users of M

Duncannon settles cyber attack claims (Pennlive) Duncannon could reclaim most of the money it lost in a 2020 ransomware attack on its computers.

Google Hit With Privacy Suit Over Data Shared In Ad Auctions (Law360) Google is breaking its privacy promises "billions of times every day" by selling and sharing consumers' personal information with the thousands of companies that participate in its digital ad auctions without users' knowledge or permission, according to a putative class action filed in California federal court Friday.

Microsoft attack could result in a flood of cyber claims (Insurance Business) Industry is "only just beginning to understand the scope of possible damage," expert says

F Secure Oyj : Online extortion, data theft gain traction among cyber criminals (MarketScreener) 'Organizations with reliable backups and effective restoration procedures are in a strong position to recover from a ransomware attack without having to pay. However, managing a...

Increased use of vaccine passports could lead to scams, experts warn (ABC News) As more venues and services start to require proof of vaccination for access, experts are warning of a rise in fraudulent activity surrounding vaccine passports.

'We have your porn collection': The rise of extortionware (BBC News) Hacked firm's IT Manager named and shamed by hackers in extortion technique.

“Probably The Largest KYC Data Leak In History” Demonstrates The Importance Of Bitcoin Privacy (Bitcoin Magazine) The alleged hack has left millions of users’ personal data — including passwords and addresses — available for 1.5 BTC on the dark web.

()

Harris Federation hit by ransomware attack affecting 50 schools (BleepingComputer) The IT systems and email servers of London-based nonprofit multi-academy trust Harris Federation were taken down by a ransomware attack on Saturday.

Hackers target Harris Federation in latest cyber attack (Schools Week) One of the country’s largest academy trusts has become the latest victim of a targeted ransomware cyber attack – with laptops used by pupils and email systems disabled. Harris Federation, which runs 49 schools, detected the attack on Saturday, and has been working through the weekend to resolve the issues. A Schools Week investigation last…

Ransomware attack on UK charity affects 37,000 students (Computing) The Harris Federation has disabled its email and telephone system as a result of the attack

London's biggest school trust hit by ransomware (The Record by Recorded Future) London's biggest multi-academy school trust, the Harris Federation, was hit by ransomware, bringing down IT systems, email servers, and phone lines at primary and secondary academies across London.

Henry VIII School's system hacked by crime group known to FBI (CoventryLive) The organisation got into the school's system and posted personal data online

DeKalb schools notify parents about data breach (Atlanta Journal Constitution) It's unclear how many students it may involve.

DeKalb schools address data breach letter received by parents and guardians (DeKalb Champion) DeKalb County School District is awaiting more details on a data breach letter that was recently received by many district parents and guardians.

Reserve Bank searches for new platform post-cyber breach (Insurance Business) It said the search has been more difficult than anticipated

Analysts Affirm CNA Ratings As Insurer Continues Probe of Cyber Attack (Insurance Journal) CNA Financial Corp.'s financial ratings have not been affected by the insurer's recent cyber attack. AM Best, S&P Global Ratings and Fitch Ratings all

Unfair exchange: ransomware attacks surge globally amid Microsoft Exchange Server vulnerabilities - Check Point Software (Check Point Software) Over the past year, hospitals and the healthcare industry have been under tremendous pressure during the COVID-19 pandemic, not only dealing with surges

More Ransomware Gangs Targeting Vulnerable Exchange Servers (SecurityWeek) The Black Kingdom/Pydomer ransomware operators join other threat actors targeting unpatched Microsoft Exchange servers.

'Hades' Ransomware Hits Big Firms, but Operators Slow to Respond to Victims (SecurityWeek) Hades ransomware operators adopt a double-extortion tactic, but they are often slow to respond to requests for payment instructions.