Microsoft Exchange servers are under attack once again

cybercriminal
(Image credit: Pixabay)

Microsoft Exchange servers are once again under attack as a security researcher has discovered a new campaign known as “BlackKingdom” that leverages the ProxyLogon vulnerabilities to deploy ransomware.

As reported by BleepingComputer, security researcher Marcus Hutchins from MalwareTechBlog detailed his discovery in a recent series of tweets, saying:

“Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom note to every directory. According to my honeypot backlog, the same attacker ran the following script a few days prior, but it failed.”

While the attackers tried to push ransomware to Hutchins' honeypots, they did not become encrypted which suggests that he witnessed a failed attack.

BlackKingdom

Although the attackers unsuccessfully tried to encrypt Hutchin's honeypots, submissions to the ransomware identification site ID Ransomware show that BlackKingdom was successfully able to encrypt other victim's devices in mid-March.

So far BlackKingdom has infected victims in the US, Canada, Austrai, Switzerland, Russia, France, Israel, the UK, Italy, Germany, Greece, Australia and Croatia.

When successfully deployed, the ransomware encrypts files using random extensions and then leaves a ransom note named decrypt_file.TxT. However, in his research, Hutchins found a different ransom note named ReadMe.txt which used text that is slightly different. Both ransom notes request that victims pay $10,000 in bitcoin to unencrypt their servers.

This isn't the first time that a ransomware known as BlackKingdom has been observed in the wild. Back in June of last year, another ransomware by the same name was used to compromise corporate networks by exploiting vulnerabilities in Pulse VPN. Although it has yet to be confirmed, both versions of the BlackKingdom ransomware were written in Python.

Another ransomware known as DearCry was also used to launch attacks against Microsoft Exchange servers by exploiting the ProxyLogon vulnerabilities earlier this month.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in Security
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Latest in News
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 15 (game #1146)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 15 (game #377)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 15 (game #643)
Rainbow Six Siege X promotional art.
The Tom Clancy's Rainbow Six Siege X 6v6 mode might finally pull me away from Black Ops 6
A close up of the new web version of Apple Music Classical
Apple Music Classical is now available on the web, but its Mac app is still nowhere in sight