Ransomware operators are piling on already hacked Exchange servers
Found on Ars Technica on Thursday, 01 April 2021
The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.
More interesting are hidden backdoors which stay unnoticed even after admins have rolled in all available updates. Pretty much every network with an accessible Exchange should be considered possibly compromised.