[TheRecord] New LockFile ransomware gang weaponizes ProxyShell and PetitPotam attacks

A new ransomware group has weaponized two recently disclosed vulnerabilities in order to improve their chances at breaching, taking over, and encrypting corporate networks.

Named LockFile, this new ransomware gang has been seen exploiting a vulnerability known as ProxyShell to gain access to Microsoft Exchange email servers, from where it pivots to companies’ internal networks, according to reports from security firm TG Soft and security researcher Kevin Beaumont.

Once inside, LockFile operators abuse an attack method known as PetitPotam to take over a company’s Windows domain controller and then deploy their file-encrypting payloads to connected workstations, according to a report published on Friday by security firm Symantec.

Details about the PetitPotam attack and the ProxyShell vulnerability have been disclosed at the end of July and early August, respectively, showing once again that cybercrime gangs are quite quick to weaponize exploits when they enter the public domain.

2021-08-19 #LockFile #Ransomware via #Exchange #ProxyShell #EfsPotato #VatetLoader #CobaltStrike hit Italy 🇮🇹
We have analyzed a case of attack by #LockFile #Ransomware that used Exchange exploit and group policy to attack an entire network.@58_158_177_102 @siri_urz @reecdeep pic.twitter.com/jWhEht7qHG

— TG Soft (@VirITeXplorer) August 20, 2021

Symantec said the group has already hit at least ten organizations, with most of its victims based in the US and Asia.

“The LockFile ransomware was first observed on the network of a US financial organization on July 20, 2021, with its latest activity seen as recently as August 20,” the company said last week.

Currently, details about this ransomware operation are still scarce. What is known is that LockFile is trying to mimic the visual style of the ransom notes used by LockBit, a more well-known ransomware gang that recently has seen a spike in use in the criminal underworld.

Image: Symantec

To prevent the LockFile gang from gaining access to their systems, companies are advised to apply patches for the PetitPotam and ProxyShell vulnerabilities.

PetitPotam patches and mitigations are detailed here.

ProxyShell security patches have shipped with May and July Windows security updates (CVE-2021-31207CVE-2021-34473, and CVE-2021-34523).

The post New LockFile ransomware gang weaponizes ProxyShell and PetitPotam attacks appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[NCSC-FI News] ESET takes part in global operation to disrupt Zloader botnets

ESET has collaborated with partners Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, Palo Alto Networks Unit 42, and others in an attempt to disrupt known Zloader botnets. ESET contributed to the project by providing technical analysis, statistical information, and known command and control server domain names and IP addresses Zloader started life as a […]

Read More

[SANS ISC] Microsoft Patch Tuesday – January 2022 , (Tue, Jan 11th)

All posts, Sans-ISC

Microsoft fixed 126 different CVEs with this month’s update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical.  Noteworthy updates: CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this […]

Read More

[TheRecord] UK alludes to retaliatory cyber-attacks on Russia

The UK government alluded yesterday that it might launch offensive cyber operations against Russia if the Kremlin attacks UK computer systems after an invasion of Ukraine. “The Defence Command Paper published last year set out plans to establish, and grow to a significant size, the National Cyber Force, the UK’s offensive cyber-capability that will complement our defensive capability,” […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.