A new ransomware gang named LockFile targets Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains.
Symantec security firm said that the “LockFile” variant was first spotted on July 20 in an attack on a US financial services organization and has subsequently targeted at least ten corporate victims around the world up to August 20 with most of its victims based in the U.S. and Asia. The companies attacked include those in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.
“The encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam” – Symantec
As per US Cybersecurity and Infrastructure Security Agency (CISA), “Malicious cyber actors are actively exploiting the following vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urged organisations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021,which remediates all three ProxyShell vulnerabilities to protect against these kind of attacks.
Indications are that the attackers gain access to victims’ networks via Microsoft Exchange Servers, and then use the incompletely patched PetitPotam vulnerability( CVE-2021-36942 ) to gain access to the domain controller, and then spread across the network. It is not clear how the attackers gain initial access to the Microsoft Exchange Servers. After exploiting an exchange server, the threat actors dropped web shells that could be used to upload other programs and execute them. and also deploy their file-encrypting payloads to connected workstations, according to a report published by security firm Symantec.
What is known is that the threat actors behind LockFile is trying to mimic similar designed ransom note that is used by the LockBit gang and reference the Conti group in the email address they use for communications.
To prevent the LockFile gang from gaining access to their systems, companies are advised to apply patches for the PetitPotam and ProxyShell vulnerabilities.
The security researcher says that although LockFile appears to be a new ransomware variant, it could have links to “previously seen or retired threats.”
Indicator of Compromise:
| File hashes | Description |
|---|---|
| ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 | active_desktop_render.dll |
| cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 | autoupdate.exe |
| 36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 | autologin.sys |
| 5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f | autologin.exe |
| 1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 | autologin.dll |
| 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a | autoupdate.exe |
| 7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd | efspotato.exe |
| c020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 | active_desktop_render.dll |
| a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 | autoupdate.exe |
| 368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 | autologin.sys |
| d030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a | autoupdate.exe |
| a0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 | autoupdate.exe |
IP address:
209.14.0.234
Posted by: Ramya Natarajan ,Currently pursuing M.Sc. Cyber forensics and Information security in University of Madras. I’m a dedicated and hard-working person with lots of interest in Information security field. My hobbies are updating myself in the field of information security, Surfing internet and reading books.