Tag Archive for: LockFile

LockFile Ransomware Encrypting Domains Via Exchange Hack

/in


A new ransomware operator is taking over Windows domains on networks around the world after exploiting a chain of Microsoft Exchange server vulnerabilities called ProxyShell.

The LockFile ransomware gang has taken advantage of the Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to hijack Windows domains and encrypt devices, security researcher Kevin Beaumont reported Saturday. More technical details were recently disclosed on the ProxyShell flaws, which allowed security researchers and threat actors to reproduce the exploit, BleepingComputer said.

“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March – they are more exploitable, and organizations largely haven’t patched,” Beaumont wrote in a blog post. “They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come.”

[Related: Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress]

Microsoft didn’t immediately respond to a CRN request for comment Monday. The Redmond, Wash.-based software giant told CRN Friday that customers who’ve applied the latest Microsoft updates are already protected against the ProxyShell vulnerabilities.

When breaching a network, adversaries like LockFile will first access the on-premise Microsoft Exchange server using the ProxyShell flaws. From there, LockFile uses the incompletely patched PetitPotam vulnerability to gain access to the domain controller and then spread across the network, Symantec reported Friday. Once hackers control the Windows domain, it’s easy for them to deploy ransomware.

LockFile was first observed on the network of a U.S. financial organization on July 20, with its latest activity seen as recently as Friday, Symantec wrote in a blog post. Victims of LockFile are primarily based in the United States and Asia, and can be found in verticals such as manufacturing, financial services, engineering, legal, business services, and travel and tourism, according to Symantec.

“New surge in Microsoft Exchange server exploitation underway,” Rob Joyce, director of cybersecurity at the National Security Agency (NSA), wrote…

Source…

LockFile ransomware attacks Microsoft Exchange with ProxyShell exploits

/in


Exchange Ransomware

A new ransomware gang known as LockFile encrypts Windows domains after hacking into Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities.

ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution.

The three vulnerabilities were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest.

While Microsoft fully patched these vulnerabilities in May 2021, more technical details were recently disclosed, allowing security researchers and threat actors to reproduce the exploit.

As reported last week by BleepingComputer, this has led to threat actors actively scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.

After exploiting an Exchange server, the threat actors dropped web shells that could be used to upload other programs and execute them.

At the time, NCC Group’s vulnerability researcher Rich Warren told BleepingComputer that the web shells were being used to install a .NET backdoor that was downloading a harmless payload at the time.

Since then, security researcher Kevin Beaumont reports that a new ransomware operation known as LockFile uses the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices.

When breaching a network, the threat actors will first access the on-premise Microsoft Exchange server using the ProxyShell vulnerabilities. Once they gain a foothold, Symantec says the LockFile gang uses the PetitPotam vulnerability to take over a domain controller, and thus the Windows domain.

From there, it is trivial to deploy the ransomware through the entire network.

What we know about the LockFile ransomware

At this time, there is not much known about the new LockFile ransomware operation.

When first seen in July, the ransom note was named ‘LOCKFILE-README.hta‘ but did not have any particular branding, as shown below.

Old LockFile ransom notes
Old LockFile ransom notes

Starting last week, BleepingComputer began receiving reports of a ransomware gang…

Source…