Saturday, December 14, 2024
HomeRansomwareLockFile Ransomware Exploit ProxyShell Vulnerabilities in Microsoft Exchange Servers

LockFile Ransomware Exploit ProxyShell Vulnerabilities in Microsoft Exchange Servers

Published on

SIEM as a Service

The Microsoft exchange servers were hacked by a very new ransomware gang that is known as LockFile. According to the cyber security expert, this ransomware gang has appeared in July 2021.

However, the main motive of this ransomware is to encrypt Windows domains soon after hacking into Microsoft Exchange servers, and this they do with the help of ProxyShell vulnerabilities that has been revealed recently.

As we said above that the threat actors conduct this operation while using the ProxyShell vulnerabilities, well the hackers generally breach the targets with unpatched, on-premises Microsoft Exchange servers, and which are being followed by a PetitPotam NTLM relay attack as it seizes the whole control of the domain.

- Advertisement - SIEM as a Service

Vulnerabilities Discovered Earlier

After investigating the attack, the experts Devcore Principal Security Researcher Orange Tsai have found three vulnerabilities, and later he attached them all together so that he can take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking competition.

  • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
  • CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
  • CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

What Did We Know About the LockFile Ransomware?

The security analysts are trying their best to know all the key details reading this particular attack. However, there are many findings that are yet to disclose, but in July the experts first noted that the ransom note was named ‘LOCKFILE-README.hta’ but the interesting fact is that it does not have any special branding.

The attackers are using branded ransom notes that are designating that they were called ‘LockFile. Moreover, all these ransom notes apply a naming format of ‘[victim_name]-LOCKFILE-README.hta’ and later it advised the victim to communicate with them through Tox or email if they want to negotiate the ransom.

The RansomNote is An HTML Application

The researchers stated that the function at 0x7f00 initially generates the HTA ransom note, such as, ‘LOCKFILE-README-[hostname]-[id].hta’ in the root of the drive. 

After the investigation, the experts noted that instead of dropping a note in TXT format, the LockFile formats its ransom note as an HTML Application (HTA) file. The most important point is that the HTA ransom note that was being used by LockFile matches the one that is used by LockBit 2.0 ransomware.

Patch now!

After knowing all the details its been clear that this ransomware gang uses both the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability.

According to the researchers, it’s quite important that Windows administrators must install the latest updates. Well in the case of ProxyShell vulnerabilities, the users can install the most advanced Microsoft Exchange cumulative updates as it will help to patch the vulnerability.

This type of ransomware attack is quite difficult to patch, but the experts stated that they are trying their best to circumvent this attack, as soon as possible.

Also Read: Ransomware Attack Response and Mitigation Checklist

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

US Charged Chinese Hackers for Exploiting Thousands of Firewall

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Sichuan Silence...

Mauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners

The Apache ActiveMQ server is vulnerable to remote code execution (CVE-2023-46604), where attackers can...

Black Basta Ransomware Leverages Microsoft Teams To Deliver Malicious Payloads

In a resurgence since May 2024, the Black Basta ransomware campaign has exhibited a...