Security researchers have discovered a new ransomware family called LockFile that appears to have been used to attack Microsoft Exchange servers in the US and Asia since at least July 20.
Symantec says that when it revealed LockFile on Aug. 20, it found evidence of the ransomware targeting at least 10 organizations over the course of a single month. The security company says LockFile's operators used an attack called PetitPotam, which targets a domain controller to gain control over an entire network, but it didn't know how the attackers gained access to the servers.
DoublePulsar's Kevin Beaumont does. He reports that his personal honeypot project—an intentionally exposed server that can be used to learn more about hacking attempts—was targeted by LockFile's operators on Aug. 13 and Aug. 16. Those attacks revealed that LockFile was exploiting a series of vulnerabilities in Microsoft Exchange known collectively as ProxyShell.
ProxyShell is one of three collections of vulnerabilities affecting Microsoft Exchange discovered, exploited, and disclosed by Devcore principal security researcher Orange Tsai. The attack surfaces were shown off at the Pwn2Own hacking competition in April, and Tsai shared more information about them during a talk at the Black Hat 2021 conference on Aug. 5 as well.
Microsoft patched these vulnerabilities in May, but BleepingComputer reports that researchers and hackers alike have been able to recreate the exploit, which is now being used to enable the LockFile attacks. The ransomware's operators can also target Exchange servers that haven't received the latest updates and therefore remain vulnerable to the original ProxyShell attacks.
Beaumont says there are still "hundreds of directly exploitable, internet facing systems with *.gov SSL certificate hostnames" in the US as of Aug. 21 and cited TechTarget's report that "tens of thousands of Exchange servers are still vulnerable to ProxyLogon and ProxyShell." Some of those are likely to be honeypots, according to the report, but most probably aren't.
Recommended by Our Editors
The US Cybersecurity and Infrastructure Security Agency says it "strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks." Microsoft has also shared methods of mitigating the PetitPotam attack.
LockFile itself reportedly encrypts all of the files on a target system, renames them with the ".lockfile" extension, and then shows a note telling the victims to contact the ransomware's operators via email to negotiate the cost of recovering their files. That note is said to resemble one used by the LockBit ransomware group and to include a reference to the Conti Gang as well.
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
"exchange" - Google News
August 23, 2021 at 02:07AM
https://ift.tt/3sDyVpb
LockFile Ransomware Targets Microsoft Exchange Servers - PCMag
"exchange" - Google News
https://ift.tt/3c55nbe
https://ift.tt/3b2gZKy
Exchange
Bagikan Berita Ini
0 Response to "LockFile Ransomware Targets Microsoft Exchange Servers - PCMag"
Post a Comment