[BreachExchange] LockFile Ransomware Targets Microsoft Exchange Servers

[Sophia Kingsbury]

https://in.pcmag.com/security/144442/lockfile-ransomware-targets-microsoft-exchange-servers

Security researchers have discovered a new ransomware family called
LockFile that appears to have been used to attack Microsoft Exchange
servers in the U.S. and Asia since at least July 20.

Symantec said when it revealed LockFile on Aug. 20 that it found evidence
of the ransomware targeting at least 10 organizations over the course of a
single month. The security company said LockFile's operators used an attack
called PetitPotam, which targets a domain controller to gain control over
an entire network, but it didn't know how the attackers gained access to
the servers.

DoublePulsar's Kevin Beaumont did. He reported that his personal honeypot
project—an intentionally exposed server that can be used to learn more
about hacking attempts—was targeted by LockFile's operators on Aug. 13 and
Aug. 16. Those attacks revealed that LockFile was exploiting a series of
vulnerabilities in Microsoft Exchange known collectively as ProxyShell.

ProxyShell is one of three collections of vulnerabilities affecting
Microsoft Exchange discovered, exploited, and disclosed by Devcore
principal security researcher Orange Tsai. The attack surfaces were shown
off at the Pwn2Own hacking competition in April, and Tsai shared more
information about them during a talk at the Black Hat 2021 conference on
Aug. 5 as well.

Microsoft patched these vulnerabilities in May, but BleepingComputer
reported that researchers and hackers alike have been able to recreate the
exploit, which is now being used to enable the LockFile attacks. The
ransomware's operators can also target Exchange servers that haven't
received the latest updates and therefore remain vulnerable to the original
ProxyShell attacks.

Beaumont said there were still "hundreds of directly exploitable, internet
facing systems with *.gov SSL certificate hostnames" in the U.S. as of Aug.
21 and cited TechTarget's report that "tens of thousands of Exchange
servers are still vulnerable to ProxyLogon and ProxyShell." Some of those
are likely to be honeypots, according to the report, but most probably
aren't.

The U.S. Cybersecurity and Infrastructure Security Agency said it "strongly
urges organizations to identify vulnerable systems on their networks and
immediately apply Microsoft's Security Update from May 2021—which
remediates all three ProxyShell vulnerabilities—to protect against these
attacks." Microsoft has also shared methods of mitigating the PetitPotam
attack.

LockFile itself reportedly encrypts all of the files on a target system,
renames them with the ".lockfile" extension, and then shows a note telling
the victims to contact the ransomware's operators via email to negotiate
the cost of recovering their files. That note is said to resemble one used
by the LockBit ransomware group and to include a reference to the Conti
Gang as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210823/389ab49a/attachment.html>