Close

Search Results

Sorry we couldn't find any results for you.

To find more of our people, please search using the ‘People’ option at the top.

    Loading search results

    Skip to Content

    Ransomware risk ramping up as holidays approach. Unpatched vulnerabilities make your clients an easy target

    Attackers are actively exploiting unpatched critical vulnerabilities in Microsoft Exchange Server and other network infrastructure to detonate ransomware and commit cyber extortion. It’s essential to apply Microsoft’s security updates for Exchange Server to prevent damage from a new critical vulnerability (CVE-2021-42321 Remote Code Execution Vulnerability) that is already being exploited in the wild. 

    We expect ransomware and cyber extortion risks to continue to rise as cyber criminals take advantage of the festive holiday and holiday shopping to launch attacks. Your organization should be on alert, monitor, and prepare to respond.

    Attackers target known vulnerabilities

    In addition to targeting brand-new (or zero-day) vulnerabilities, attackers take advantage of organizations that have failed to stay up to date on patching, or they exploit access gained before the organization patched, after persisting unnoticed in the network for months.

    • Microsoft Exchange Server. Several forensic vendors have attributed more than 60% of recent ransomware incidents to unpatched vulnerabilities in Exchange Server. Some of those vulnerabilities have been publicized widely for more than six months. Microsoft has released security updates to address both known and new vulnerabilities.
    • Citrix. An arbitrary code execution vulnerability in Citrix appliances (CVE-2019-19781) was the top exploited vulnerability in 2020, according to the Cybersecurity and Infrastructure Security Administration (CISA), and we have still seen it exploited in recent ransomware incidents. See Citrix Mitigation Steps for CVE-2019-19781.
    • Fortinet. The FBI and CISA have repeatedly warned that threat actors are scanning internet-facing devices for vulnerabilities in Fortinet’s firewall and other security products. CISA Alert AA21-321A provides details on detection and mitigation.
    • Palo Alto Networks. A vulnerability in older versions of their GlobalProtect firewall could allow attackers to execute code remotely. Some 10,000 customers are potentially affected. Versions earlier than PAN-OS 8.1.17 are vulnerable and should be upgraded.

    In response to continuing vulnerabilities, CISA has created a catalog of known exploited vulnerabilities and issued an operational directive for federal agencies to address them by certain target dates. The catalog is also a useful resource for the private sector and can be downloaded as a spreadsheet for easier analysis. You should work with your IT team or provider to review the list and ensure you have addressed them. 

    Microsoft Exchange Server vulnerabilities

    Security researchers have reported that a critical vulnerability in Exchange Server (CVE-2021-42321 Remote Code Execution Vulnerability) announced earlier this month is now being exploited in the wild. Many organizations have also failed to patch vulnerabilities that were disclosed and known to be critical since the beginning of March.

    Microsoft Exchange Server 2013, 2016, and 2019 on-premises versions are vulnerable. If you have a hybrid environment, you have at least one on-premises server that needs to be patched. Microsoft has released security updates to address the vulnerabilities. You should work with your IT team or provider to:

    Notify BBR Services if you find IOCs. We have a rapid triage process in place to help you determine if there is a risk of further exploitation.


    Prepare for attacks outside business hours

    Attackers strike when organizations are least prepared. To help your organization stay resilient, CISA and the FBI recommend the following:

    • Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
    • Make and maintain offline, encrypted backups of data and regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline as many ransomware variants attempt to find and delete or encrypt accessible backups.
    • Implement multi-factor authentication (MFA) for remote access and administrative accounts.
    • Mandate strong passwords and ensure they are not reused across multiple accounts.
    • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
    • Remind employees not to click on suspicious links and conduct exercises to raise awareness.
    • Review and update contact information in your incident response plans.

    Resources

    Sign up for Beazley updates