LockFile Ransomware Encrypting Domains Via Exchange Hack

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

A new ransomware operator is taking over Windows domains on networks around the world after exploiting a chain of Microsoft Exchange server vulnerabilities called ProxyShell.

The LockFile ransomware gang has taken advantage of the Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to hijack Windows domains and encrypt devices, security researcher Kevin Beaumont reported Saturday. More technical details were recently disclosed on the ProxyShell flaws, which allowed security researchers and threat actors to reproduce the exploit, BleepingComputer said.

“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March – they are more exploitable, and organizations largely haven’t patched,” Beaumont wrote in a blog post. “They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come.”

[Related: Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress]

Microsoft didn’t immediately respond to a CRN request for comment Monday. The Redmond, Wash.-based software giant told CRN Friday that customers who’ve applied the latest Microsoft updates are already protected against the ProxyShell vulnerabilities.

When breaching a network, adversaries like LockFile will first access the on-premise Microsoft Exchange server using the ProxyShell flaws. From there, LockFile uses the incompletely patched PetitPotam vulnerability to gain access to the domain controller and then spread across the network, Symantec reported Friday. Once hackers control the Windows domain, it’s easy for them to deploy ransomware.

LockFile was first observed on the network of a U.S. financial organization on July 20, with its latest activity seen as recently as Friday, Symantec wrote in a blog post. Victims of LockFile are primarily based in the United States and Asia, and can be found in verticals such as manufacturing, financial services, engineering, legal, business services, and travel and tourism, according to Symantec.

“New surge in Microsoft Exchange server exploitation underway,” Rob Joyce, director of cybersecurity at the National Security Agency (NSA), wrote…