Nasty new malware targets Microsoft Exchange servers

cybercriminal
(Image credit: Pixabay)

A new ransomware operator known as LockFile encrypts Windows domains after breaking into vulnerable Microsoft Exchange servers using the recently disclosed ProxyShell exploit.

ProxyShell is the collective name of the exploit that consists of three chained vulnerabilities in Microsoft’s popular hosted email server vulnerabilities that give attackers unauthenticated, remote code execution powers.

While Microsoft fully patched these vulnerabilities in May 2021, more technical details were shared at the recently concluded Black Hat 2021 by cybersecurity researcher Orange Tsai, who discovered the ProxyShell vulnerabilities.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

BleepingComputer reports that the new details shared by Tsai allowed both security researchers and threat actors to reproduce the exploit

Ransomware on Exchange 

Following the talk, security researcher Kevin Beaumont noticed that threat actors began probing his Microsoft Exchange honeypot for the ProxyShell vulnerabilities once again.

Another security researcher Rich Warren, whose Exchange honeypot was also probed using the new attack vector, told BleepingComputer that while the initial payload deployed by the attackers on vulnerable servers was benign, it would soon be swapped out with something a lot more malicious, once the attackers have managed to break into enough servers.

His fears have now come true.

Beaumont now reports that a new ransomware operation known as LockFile uses ProxyShell to compromise the Exchange servers and then exploits the Windows PetitPotam vulnerabilities to take over Windows domains in order to encrypt devices.

First seen in July, BleepingComputer says there is very little known about the LockFile ransomware as of now. In any case, security experts urge users to immediately patch their Exchange servers by installing the latest cumulative updates.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.