A new ransomware (opens in new tab) operator known as LockFile encrypts Windows domains after breaking into vulnerable Microsoft Exchange (opens in new tab) servers using the recently disclosed ProxyShell exploit.
ProxyShell is the collective name of the exploit that consists of three chained vulnerabilities in Microsoft’s popular hosted email (opens in new tab) server vulnerabilities that give attackers unauthenticated, remote code execution powers.
While Microsoft fully patched these vulnerabilities in May 2021, more technical details were shared at the recently concluded Black Hat 2021 by cybersecurity (opens in new tab) researcher Orange Tsai, who discovered the ProxyShell vulnerabilities.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- These are the best email hosting providers (opens in new tab)
- Here are the best ransomware protection tools (opens in new tab)
- Protect your devices with these best antivirus software (opens in new tab)
BleepingComputer reports that the new details shared by Tsai allowed both security researchers and threat actors to reproduce the exploit (opens in new tab).
Ransomware on Exchange
Following the talk, security researcher Kevin Beaumont noticed that threat actors began probing (opens in new tab) his Microsoft Exchange honeypot for the ProxyShell vulnerabilities once again.
Another security researcher Rich Warren, whose Exchange honeypot was also probed using the new attack vector, told BleepingComputer that while the initial payload deployed by the attackers on vulnerable servers was benign, it would soon be swapped out with something a lot more malicious, once the attackers have managed to break into enough servers.
His fears have now come true.
Beaumont now reports (opens in new tab) that a new ransomware operation known as LockFile uses ProxyShell to compromise the Exchange servers and then exploits the Windows PetitPotam vulnerabilities (opens in new tab) to take over Windows domains in order to encrypt devices.
First seen in July, BleepingComputer says there is very little known about the LockFile ransomware as of now. In any case, security experts urge users to immediately patch their Exchange servers by installing the latest cumulative updates.
- Here's our choice of the best malware removal (opens in new tab) software on the market
Via BleepingComputer (opens in new tab)