Microsoft Exchange server being hacked by the new LockFile ransomware –

A new ransomware gang, known as LockFile, uses a recently published ProxyShell vulnerability to encrypt a Windows domain after hacking into a Microsoft Exchange server.

ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that lead to unauthenticated remote code execution.

Three vulnerabilities were discovered by the Devcore Principal Security Researcher. Orange TsaiChained them to take over the Microsoft Exchange server in April Pwn2Own2021 Hacking Contest..

Microsoft fully patched these vulnerabilities in May 2021, but recently more technical details have been disclosed, allowing security researchers and threat actors to: Reproduce the exploit..

As reported by Bleeping Computer last week, this is actively scanned by threat actors. Hacking a Microsoft Exchange server using a ProxyShell vulnerability..

After exploiting the Exchange server, an attacker dropped a web shell that could be used to upload and run other programs.

At that time, a vulnerability researcher in the NCC group Rich Warren He told Bleeping Computer that a web shell was being used to install the .NET backdoor that was downloading the harmless payload at the time.

Since then, security researchers Kevin Beaumont Report A new ransomware operation called LockFile is with Microsoft Exchange Proxy Shell Windows Petit Potam Vulnerability Take over the Windows domain and encrypt the device.

Upon breaking into the network, an attacker first uses a Proxy Shell vulnerability to access an on-premises Microsoft Exchange server.When they build a foothold, Symantec LockFile gang uses a vulnerability in Petit Potam Takes over the domain controller, the Windows domain.

From there, it’s easy to deploy ransomware throughout your network.

What we know about LockFile ransomware

Little is known about the new LockFile ransomware operation at this time.

When first seen in July, the ransom note was “LOCKFILE-README.hta‘But there was no specific brand, as shown below.

Old LockFile Ransom Note
Old LockFile Ransom Note

Starting last week, Bleeping Computer began receiving ransomware gang reports using a branded ransom note indicating that it was called a “Lock File,” as shown below.

These ransom notes use the following naming format: ‘[victim_name]-LOCKFILE-README.hta‘And urged the victims to contact them via Tox or email to negotiate the ransom.The current email address used in the operation is [email protected], This seems to be a reference to Conti ransomware operations.


The color scheme of the ransom is similar, but I don’t know if the communication method and wording are the same.

Of particular interest is the color scheme and layout of the ransom notes, which is very similar to LockBit ransomware, but it doesn’t seem to matter.

When encrypting files, ransomware .lockfile The extension of the name of the encrypted file.

Bleeping Computer and ransomware experts yesterday afternoon Michael Gillespie An analysis of the July version of LockFile revealed that it was a noisy ransomware that consumed a lot of system resources and caused the computer to freeze temporarily.

Apply the patch now!

The LockFile operation uses both the Microsoft Exchange Proxy Shell vulnerability and the Windows PetitPotam NTLM relay vulnerability, so Windows administrators must install the latest updates.

Regarding the ProxyShell vulnerability, Latest Microsoft Exchange Cumulative Update Patch the vulnerability.

The Windows PetitPotam attack is a bit more complicated because Microsoft’s security update is incomplete and it hasn’t patched all the vulnerability vectors.

To patch the PetitPotam attack Unofficial patch from 0patch Block this NTLM relay attack vector or Apply NETSHRPC filter Blocks access to vulnerable features of the MS-EFSRPC API.

According to Beaumont, you can run the following Azure Sentinel query to see if your Microsoft Exchange server is being scanned for Proxy Shell vulnerabilities.

W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "PowerShell" | where csMethod == "POST"

All organizations are strongly encouraged to patch and create an offline backup of their Exchange server as soon as possible.

Source link Microsoft Exchange server being hacked by the new LockFile ransomware

Source of this news:

Related posts:

What IT Pros Need to Know About Windows Server 2022 - TechDecisions
Microsoft has announced the general availability of Windows Server 2022, hailing the new version of the operating system as a more secure, hybrid-capable and scalable. The company announced the gener...
Organizers Are Pissed About Apple's Best New Privacy Purpose - Gizmodo
Apple's iCloud Private Relay Supply you with Is Making Carriers Crazi Advertisement Some news outlets offered T-Mobile’s ...
Netflix Intensifies Crackdown On VPN Users - Gentside
Thanks to licensing and as a consequence copyright restrictions in for each country, Netflix may have different shows and films on offer. But, many of us have been sneakily getting around thi...
What Is a Server and What Do Servers Do? - Server Watch
Servers are high-powered computers built to store, process, and manage network data, devices, and systems. From a bird’s eye view, servers are the engines powering organizations by providing network ...
Form N-PX SSGA Active Trust For: Jun 30 -
Sean O’Malley, Esq. c/o SSGA Funds Management, Inc. Item 1. Proxy Voting Report ============== SPDR DoubleLine Emerging Markets Fixed Income ETF =============== There is no proxy voting activity fo...
WordPress Hosting in Nigeria by Web4Africa — Technology - Guardian
web4africa With much of Nigeria’s business transactions increasing moving online, it has become more important than ever for a business to have a web presence in the form of a website. Whilst there a...
How AI & proxies drive web scraping -
As public online data acquisition becomes increasingly important to decision-making, AI, web scraping and proxies will continue to find their way into business activities. While the inclusion of AI i...
PolarProxy 0.9 Released - Security Boulevard
PolarProxy was previously designed to only run as a transparent TLS proxy.But due to popular demand we’ve now extended PolarProxy to also include a SOCKS proxy and a HTTP CONNECT proxy.PolarProxy a...
VMware vCenter deployments under panic as enterprises urged inside update systems - This particular ...
Adam Bannister 27 The month of september 2021 at 13: 29 UTC Transformed: 27 September 2021 available on 14: 36 UTC Large scanning detected after RCE exploits surface online Attackers are...
Private Proxy: Expectations vs. Reality - The Future of Things
A proxy server is an essential part of how we use the Internet and a very useful tool for accessing unauthorized content. It is an intermediary between the user and the website that facilitates web s...
The 50 Best Albums of 2021 So Far: Staff Picks - Billboard
For emo and indie fans who grow up equally enraptured by Jeff Mangum and Jeff Rosenstock, no release this year has been more thrilling than Florida quartet Home Is Where's latest LP. A sprawling opus...
Linkerd Kubernetes Service Fabric Builds in Security – The New Stack -
We all know network security is vital to our Kubernetes deployments, right? Of course, right. A service mesh improves network security by adding a dedicated infrastructure layer to facilitate servic...
Windows 11 build 22000.100: Changes, fixes, and known issues -
by Alexandru Poloboc News Editor With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, ...
Shape 424B4 Argo Blockchain Plc - StreetInsider. com
History of Share Cash Found on incorporation, the issued as well as , allotted share capital appeared to be to £1 divided into 1 peculiar share of £1. Concerned with December  20, 2017:...
New Cyber Theft Group Uses Revitalized Tricks To Target Online Merchants - E-Commerce Times
By Jack M. Germain Oct 21, 2021 5:00 AM PT A new fraud ring called Proxy Phantom is using sophisticated credential stuffing attack methods to take over customer accounts for U.S.-based e-commerce me...
Best Endpoint Security and EDR Tools for MSPs - Channel Insider
Whether they want to or not, Managed Service Providers (MSPs) are being forced to pick up more and more security functions. An endless stream of malware attacks followed by the recent rash of ransomw...
What is Incognito? How to access it in different browsers - H2S Media
Incognito mode is a tool to protect your online privacy. In a browser, it is a private window that makes sure that your personal information such as browsing history, search records cookies, or au...
Shelter Your IP Address and Waters Anonymously with Web Proxy server - Wales 247
The question of roa safety on the internet is quite important in this modern day. Every time you surf the Net, websites are hands down collecting your data, based on your amazing IP address. Firs...

IP Rotating Proxy Onsale


First month free with coupon code FREE30