[TheRecord] New LockFile ransomware gang weaponizes ProxyShell and PetitPotam attacks

A new ransomware group has weaponized two recently disclosed vulnerabilities in order to improve their chances at breaching, taking over, and encrypting corporate networks.

Named LockFile, this new ransomware gang has been seen exploiting a vulnerability known as ProxyShell to gain access to Microsoft Exchange email servers, from where it pivots to companies’ internal networks, according to reports from security firm TG Soft and security researcher Kevin Beaumont.

Once inside, LockFile operators abuse an attack method known as PetitPotam to take over a company’s Windows domain controller and then deploy their file-encrypting payloads to connected workstations, according to a report published on Friday by security firm Symantec.

Details about the PetitPotam attack and the ProxyShell vulnerability have been disclosed at the end of July and early August, respectively, showing once again that cybercrime gangs are quite quick to weaponize exploits when they enter the public domain.

2021-08-19 #LockFile #Ransomware via #Exchange #ProxyShell #EfsPotato #VatetLoader #CobaltStrike hit Italy 🇮🇹
We have analyzed a case of attack by #LockFile #Ransomware that used Exchange exploit and group policy to attack an entire network.@58_158_177_102 @siri_urz @reecdeep pic.twitter.com/jWhEht7qHG

— TG Soft (@VirITeXplorer) August 20, 2021

Symantec said the group has already hit at least ten organizations, with most of its victims based in the US and Asia.

“The LockFile ransomware was first observed on the network of a US financial organization on July 20, 2021, with its latest activity seen as recently as August 20,” the company said last week.

Currently, details about this ransomware operation are still scarce. What is known is that LockFile is trying to mimic the visual style of the ransom notes used by LockBit, a more well-known ransomware gang that recently has seen a spike in use in the criminal underworld.

Image: Symantec

To prevent the LockFile gang from gaining access to their systems, companies are advised to apply patches for the PetitPotam and ProxyShell vulnerabilities.

PetitPotam patches and mitigations are detailed here.

ProxyShell security patches have shipped with May and July Windows security updates (CVE-2021-31207CVE-2021-34473, and CVE-2021-34523).

The post New LockFile ransomware gang weaponizes ProxyShell and PetitPotam attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Ransomware: US warns Russia to take action after latest attacks

All posts, ZDNet

US warns Russia to take care of cybercrime operating in its own backyard or the US will take care of it themselves. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Hit by a Ransomware Attack? Your Payment May be Deductible

All posts, Security Week

As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don’t pay the cybercriminals. But the U.S. government also offers a little-noticed incentive for those who do pay: The ransoms may be tax deductible. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] SAP partners with Columbia University on cybersecurity diversity initiative

All posts, ZDNet

The first group of recent graduates is joining SAP this summer. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.