The Black Basta ransomware group is revamping an older malware known as Qbot, Qakbot and Plinkslipbot to exploit the Microsoft Exchange Server. A successful attack will allow threat actors the ability to gain target network access, collect critical personal information, and encrypt the network. Barracuda MSP recommends updating all vulnerable Microsoft Exchange Servers in your environment as soon as possible to avoid potential impact.
What is the threat?
A Microsoft Exchange Server vulnerability exists in the current Microsoft Exchange server. By exploiting an unpatched Microsoft Exchange Server, threat actors can gain access to the server and collect banking credentials, other financial information, and encrypt networks. Experts reported that threat actors are evading antivirus detection by disabling Windows Defender.
Why is it noteworthy?
This vulnerability exists in the current Microsoft Exchange Server which is a common tool for email communications for organizations and schools. The FBI warned in a flash alert that the BlackCat ransomware had been used to encrypt the networks of at least 60 organizations worldwide between November 2021 and March 2022. When news of vulnerabilities such as this breaks publicly, attackers are known to accelerate their attacks as they know the threat window will be closed soon.
What is the exposure or risk?
When exploited, this vulnerability allows a threat actor to have complete and unrestricted access to the target network. If a threat actor has network access, they can easily conduct a ransomware event that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an arbitrary code execution attack:
- To review their identity posture, monitor external access to their networks, and update all vulnerable Microsoft Exchange servers in their environment as soon as possible.
- Keep all Servers updated to enforce security measures.
- Continue to stay up to date with our threat advisories to avoid potential threats.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.