Microsoft Exchange Servers under attack
Ransomware gang, LockFile is once again into the limelight for hacking into Microsoft Exchange servers and encrypting Windows domains through ProxyShell vulnerabilities.
ProxyShell is an attack consisting of three chained Microsoft Exchange vulnerabilities, leading to unauthenticated, remote code execution.
Also Read: Praying Mantis Targets Microsoft webservers
Orange Tsai, the Devcore Principal Security Researcher, discovered these vulnerabilities and chained them together. These are tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, allowing the attacker to perform remote code execution through bypassing ACL controls and elevating privileges on the Exchange PowerShell backend.
Microsoft made an attempt to fully patch these vulnerabilities in May 2021. Still, more technical aspects were recently disclosed, leading the attackers to actively scan and hack the Microsoft Exchange Servers.
After successful exploitation of an Exchange Server, the hackers dropped web shells creating a doorway to upload and execute other programs.
Security researcher Kevin Beaumont stated that the LockFile ransomware uses the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to encrypt devices by taking over the Windows domains.
According to Symantec, the breaching process includes the threat actors to first access the on-premise Microsoft Exchange server through the ProxyShell vulnerabilities. Once done, they use the PetitPotam vulnerability to take over the windows domain. After that deploying the ransomware over the complete network becomes convenient.
Since the LockFile operation is smart to use the Microsoft Exchange ProxyShell vulnerabilities as well as the Windows PetitPotam NTLM Relay vulnerability, it is vital to install the latest updates. To patch the ProxyShell vulnerabilities, it is advised to install the latest Microsoft Exchange cumulative updates.
For the PetitPotam attack, it is advisable to use an unofficial patch from 0patch or to apply NETSH RPC filters to either block this NTLM relay attack vector or block access to functions that are vulnerable in the MS-EFSRPC API.