January 17, 2022
Alerts & Bugs

Microsoft Exchange under attack as LockFile ransomware targets servers – ET CISO

Security researchers claim to have discovered a new ransomware family called LockFile that seems to the same that was used earlier to attack Microsoft Exchange servers in the US and Asia. According to Symantec, previously unseen ransomware has hit at least 10 companies in the ongoing campaign. These targets are across industries.

The LockFile ransomware was first observed on the network of a US financial organisation on July 20, 2021, with its latest activity seen as recently as August 20.

How the new attack works
As per Symantec, there are signs that the attackers gain access to victims’ networks via Microsoft Exchange Servers, and then use the incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across the network. It is so far not clear how the attackers gain initial access to the Microsoft Exchange Servers. As per US Cybersecurity and Infrastructure Security Agency (CISA), “Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organisations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

The attackers behind this ransomware are said to use a ransom note with a similar design to that used by the LockBit ransomware gang and reference the Conti gang in the email address they use, contact@contipauper.com.

As per the report, typically around 20 to 30 minutes prior to deploying ransomware, the attackers install a set of tools onto the compromised Exchange Server. These include:

* An exploit for the CVE-2021-36942 vulnerability (aka PetitPotam). The code appears to be copied from https://github.com/zcgonvh/EfsPotato. This is in a file called “efspotato.exe”.

* Two files: active_desktop_render.dll and active_desktop_launcher.exe

The encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam vulnerability. It was patched in Microsoft’s August Patch Tuesday release, but it subsequently emerged that the fix released reportedly did not fully patch the vulnerability.

The companies attacked include those in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *