Half of the Microsoft Exchange servers have reportedly been hacked by a new ransomware called LockFile. The malware in question is currently exploiting a number of Microsoft Exchange server vulnerabilities called ProxyShell and PetitPotam to take on different Windows domains around the world.
The ransomware gang behind the series of attacks on Microsoft’s partially patched PetitPotam vulnerabilities is called LockFile, hence the name of the new malware.
According to Infosecurity Magazine, PetitPotam was discovered by a researcher in the past month. It is considered “an NTLM relay attack vulnerability that an attacker can use with low privileges to take over a domain controller.”
Symantec security researchers discovered the new variant last July 20, 2021, reveals Infosecurity Magazine after the group launched a cyberattack on a financial services organization based in the United States. As of writing, the ransomware gang has been successful in targeting at least 10 victims in the corporate world by August 20, 2021.
Between Thursday and Sunday last week, August 19 to 22, 2021, Huntress found that there were approximately 164 vulnerable Microsoft Exchange servers.
Bleeping Computer states that of these victims, most hailed from Asia and the United States, with the hacking group focusing on specific sectors. These include engineering sectors, financial services, business services, manufacturing, legal, as well as travel and tourism industries.
Based on the research conducted by the security researchers over at Symantec, the hacking group gained initial access to the network via the vulnerable Microsoft Exchange servers. However, Bleeping Computer maintains that the exact approach employed by the gang has yet to be disclosed.
After exploiting the servers, CRN mentioned that the ransomware gang took advantage of the partially patched vulnerabilities, such as the Microsoft Exchange ProxyShell and Windows PetitPotam, to gain access to the Windows domain and control and encrypt devices.
Once the hackers are in control of the domain, these threat actors are free to run any command on the domain, notes Bleeping Computer.
In a statement by security researcher Kevin Beaumont via a blog post at Double Pulsar last Saturday, August 21, 2021, he said that “These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March – they are more exploitable, and organizations largely haven’t patched.”
“They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come,” continued Beaumont.
Meanwhile, in its blog post dated Friday, August 20, 2021, the Symantec Threat Hunter Team said the ransom note left by the LockFile ransomware bears similarities to the note left by the LockBit ransomware gang.