A new ransomware gang called LockFile encrypts Windows domains after exploiting the Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities.
ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that leads to unauthenticated, remote code execution.
The three vulnerabilities were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to exploit a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest.
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
Microsoft has fully patched these vulnerabilities in May 2021 but more technical details were disclosed recently that allowed the security researchers and threat actors to reproduce the exploit.
So now the threat actors are actively scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.
After exploiting an Exchange server, the threat actors dropped web shells that could be used to upload other programs and execute them.
NCC Group’s vulnerability researcher Rich Warren stated that the web shells were being used to install a .NET backdoor that was downloading a harmless payload at the time.
Since then, security researcher Kevin Beaumont reports that a new ransomware operation known as LockFile uses the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices.
While breaching a network, the threat actors will first access the on-premise Microsoft Exchange server using the ProxyShell vulnerabilities. After attaining a foothold, the LockFile gang uses the PetitPotam vulnerability to take over a domain controller, and thus the Windows domain.
From there, it is trivial to deploy the ransomware through the entire network.
The ransomware gang is using branded ransom notes indicating that they were called ‘LockFile.’ The naming format of the ransom note is ‘[victim_name]-LOCKFILE-README.hta’ and it asks the victim to contact the gang through Tox or email to negotiate the ransom. The current email address used by the operation is firstname.lastname@example.org, which appears to be a reference to the Conti ransomware operation.
The color scheme and layout of the ransom notes is very similar to the LockBit ransomware, but is no relation.
When encrypting files, the ransomware will append the .lockfile extension to the encrypted file’s names.
As the LockFile operation uses both the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability, it is necessary to install the latest updates.
For the ProxyShell vulnerabilities, the latest Microsoft Exchange cumulative updates can be installed to patch the vulnerabilities.
The Windows PetitPotam attack gets a bit complicated as Microsoft’s security update is incomplete and does not patch all the vulnerability vectors.
In order to patch the PetitPotam attack, use an unofficial patch from 0patch to block this NTLM relay attack vector or apply NETSH RPC filters that block access to vulnerable functions in the MS-EFSRPC API.
All organizations are strongly advised to apply the patches as soon as possible and create offline backups of their Exchange servers.