Some Exchange Server Victims Have Multiple Backdoors Installed
Experts are working to notify and help organizations with systems that have been compromised by groups exploiting the Exchange Server vulnerabilities before the attackers move on to phase two of the campaign, which could have much more dire consequences. Some of the victims have been targeted by multiple groups and as a result, now have multiple backdoors on their systems. Victims of the attacks include Norway’s parliament, and the European Banking Authority.
With proof-of-concept code circulating, backdoors are to be expected. Attackers are racing to control as many systems as possible before other groups lock them down. The attackers are acting MUCH more quickly than system owners and will make the cleanup job all that much harder for system owners who are slow to respond.
As feared, the criminals have already moved on to the next phase and are starting to leverage their foothold on compromised systems to launch ransomware attacks known as Ransom:Win32/DoejoCrypt.A, and also as DearCry (https://www.zdnet.com/article/microsoft-watch-out-for-this-new-ransomware-threat-to-unpatched-exchange-email-servers/) If you have not checked your on premise Exchange servers by now do so as a matter of urgency using the guidance provided by Microsoft: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/.
Read more in
KrebsOnSecurity: Warning the World of a Ticking Time Bomb
Gov Infosecurity: List of Hacked Exchange Servers May Boost Recovery Efforts
Bleeping Computer: Norway parliament data stolen in Microsoft Exchange attack