No sign of Exchange-related ransomware hitting UK orgs, claims NCSC as it urges admins to scan for compromises

The UK's National Cyber Security Centre has reminded Brits to patch their Microsoft Exchange Server deployments against Hafnium attacks, 10 days after the US and wider infosec industry shouted the house down saying the same thing.

The agency told press on Friday afternoon that it had proactively helped UK organisations fix around 2,100 affected mailservers following last week's out-of-band patches to resolve four zero-day vulnerabilities in Exchange Server. Those flaws were being exploited by China-based malefactors to steal data from vulnerable deployments.

"The NCSC strongly advises all organisations using affected versions of Microsoft Exchange Servers to proactively search systems for evidence of compromise," said the GCHQ offshoot in a statement published this afternoon, expanding on brief public advice from 3 March.

On the bright side, rumours of ransomware engaging with webshells dropped by the likely-Chinese attackers behind the widespread compromise don't appear to be affecting the UK, at least as far as NCSC is aware.

The British cybersecurity agency urged sysadmins to upgrade on-prem and hosted Exchange deployments, per Microsoft's advice, and also to run Microsoft Safety Scanner, a Redmond malware seek-and-destroy tool.

We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.

— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021

Today's note echoes advice published by Microsoft and the US CISA infosec agency earlier this week, as well as warnings from CISA which began on 2 March and have been reiterated every other day since. Earlier this week NCSC would only say it was "working to fully understand the impact" of the flaws, which is thought to affect between 8,000 and 10,000 servers worldwide. Other British government departments would only refer The Register to NCSC when we asked them about the impact of the zero-days on their operations.

The torture garden of Microsoft Exchange: Grant us the serenity to accept what they cannot EOL

READ MORE

Officials told The Register that around a thousand British organisations were alerted behind the scenes through NCSC's Cyber Security Information Sharing Partnership platform, aka CiSP. If you're not a member of CiSP, you should at the very least be on your vendors' security mailing lists. We were told there's about 10,000 orgs registered on CiSP.

Infosec firm Unit 221B has also published a checker for domains known to it that have been compromised.

In the event that your organ has been infected through a dodgy Exchange, NCSC wants to hear about it; there are contact methods published on its website.

This week, the European Banking Authority revealed it had pulled its server offline after realising it has been targeted by miscreants, and Norway's Parliament was also a victim.

Security reseacher Brian Krebbs estimated a week ago that 30,000 US organisations could have been hacked due to the flaw. ®