Microsoft Exchange servers are no stranger to malicious attackers going after them. Now, a new threat has emerged known as LockFile. The ransomware has been used to target Microsoft Exchange servers in the U.S. and Asia since at least July 20, 2021, according to a report by Symantec (via PC Gamer). If successful, this type of attack can take over Windows domains and encrypt devices. Once this is done, a threat actor can spread ransomware throughout a network.
LockFile utilizes an exploit known as PetitPotam, according to Symantec. While it’s believed that attackers gain access to a network through Microsoft Exchange servers and then use the PetitPotam vulnerability, Symantec says it’s “not clear how the attackers gain initial access to the Microsoft Exchange Servers.”
In contrast to Symantec’s statement, DoublePulsar reports that the attack exploits vulnerabilities in Microsoft Exchange known as ProxyShell.
Bleeping Computer explains that ProxyShell consists of “three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution.” These vulnerabilities were initially discovered by Orange Tsai.
Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been able to reproduce the exploit.
The latest Microsoft Exchange cumulative updates patch the ProxyShell vulnerabilities used in these attacks. Microsoft does not have a full patch for the PetitPotam attack.
The Cybersecurity & Infrastructure Security Agency also has an advisory on the vulnerabilities:
Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.
We may earn a commission for purchases using our links. Learn more.