Security News > 2021 > August > LockFile ransomware attacks Microsoft Exchange with ProxyShell exploits
A new ransomware gang known as LockFile encrypts Windows domains after hacking into Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities.
ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution.
Security researcher Kevin Beaumont reports that a new ransomware operation known as LockFile uses the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices.
As the LockFile operation uses both the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability, it is imperative that Windows administrators install the latest updates.
For the ProxyShell vulnerabilities, you can install the latest Microsoft Exchange cumulative updates to patch the vulnerabilities.
To patch the PetitPotam attack, you can use an unofficial patch from 0patch to block this NTLM relay attack vector or apply NETSH RPC filters that block access to vulnerable functions in the MS-EFSRPC API. Beaumont says you can perform the following Azure Sentinel queries to check if your Microsoft Exchange server has been scanned for the ProxyShell vulnerability.
News URL
Related news
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- New “whoAMI” Attack Exploits AWS AMI Name Confusion for Remote Code Execution (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Lee Enterprises newspaper disruptions caused by ransomware attack (source)