The head of Canada’s Cyber Centre is urging organizations to close a door in their Microsoft Exchange email servers that had been left wide open for hackers to exploit.
While many companies have already patched their systems, some have yet to do so – and for those businesses, it may already be too late.
“Given the worldwide activity, it’s very probable that Canadian organizations have been impacted if they haven’t patched,” explained Scott Jones, head of the Canadian Centre for Cyber Security (Cyber Centre), in an interview with Global News.
“The last two weeks have been a flurry of activity. Most organizations have started patching immediately, within minutes of these patches being released.”
On March 2, Microsoft discovered a vulnerability in its email servers that allowed hackers to infiltrate systems, compromising thousands of servers around the world with malware. The company came out with a software patch to put a stop to it but some Canadian companies still haven’t used that patch.
Jones explained that attackers haven’t been targeting specific organizations, but rather are viewing the vulnerability as a free-for-all. No unpatched system is off-limits, he warned.
“They’re going for volume here. They’re going to compromise anything that looks vulnerable, no matter who they are. This isn’t targeted,” Jones said.
The Cyber Centre wrote in a recent update about the vulnerability that the malicious actors are “actively scanning” to see if any servers have yet to be patched. Once discovered, the hackers walk through that open doorway to upload malware – including a new kind of ransomware known as DearCry.
Ransomware is a type of cyberattack that infects your device, holding your information hostage until you pay a fee.
DearCry, the new variant of ransomware, was explained by cybersecurity company Palo Alto’s Unit 42 as a kind of malicious ransomware that encrypts the victim’s files and deploys a ransom note to the victim’s desktop.
Unlike most ransomware, which often demands a fixed ransom amount and may include a Bitcoin wallet address, DearCry includes email addresses that the victim is asked to contact.
In their explanation, the Unit 42 researchers echoed Jones’ advice that all Microsoft Exchange Servers should be updated immediately to include the patched versions.
“(DearCry) is a perfect example of how threat actors can impact the threat landscape by taking advantage of newly disclosed vulnerabilities to make a quick profit,” the researchers wrote.
While the Cyber Centre has yet to receive any clear reports of DearCry ransomware appearing on Canadian systems, a spokesperson for the Communications Security Establishment (CSE) explained to Global News that the malware is being used around the world.
“We’ve seen reporting that DearCry ransomware is being used globally against compromised networks related to the Microsoft Exchange vulnerability. Not specifically systems within Canada,” Evan Koronewski said in an emailed statement.
Despite the lack of actual reports of DearCry invading Canadian systems, Jones said the “worldwide level of exploitation” makes it “very probable.”
“In fact, it’s almost certain that there will be victims in Canada because of this,” he said.
In an emailed statement sent to Global News on Tuesday evening, CSE confirmed that some of the unpatched systems in Canada “have been further compromised with malware.” It did not, however, specify whether DearCry was the malware in question.
Jones added that it can be hard for the Cyber Centre to provide firm numbers on the scope of any cyberattacks in Canada, as victims have to report it to the centre themselves – and it’s something they “don’t always” do, Jones added.
“We don’t talk on their behalf. It’s up to them to tell their customers, or their or their employees in this case, if they’ve been victims of a cyber-incident. But we need them to report,” Jones said.
If you think your server might be infected with malware as a result of the Microsoft Exchange vulnerability, you can email the Cyber Centre at contact@cyber.gc.ca or reach it by phone at 1-833-292-3788.