LockFile Ransomware Encrypting Domains Via Exchange Hack

‘These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March - they are more exploitable, and organizations largely haven’t patched,’ writes security research Kevin Beaumont.


A new ransomware operator is taking over Windows domains on networks around the world after exploiting a chain of Microsoft Exchange server vulnerabilities called ProxyShell.

The LockFile ransomware gang has taken advantage of the Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to hijack Windows domains and encrypt devices, security researcher Kevin Beaumont reported Saturday. More technical details were recently disclosed on the ProxyShell flaws, which allowed security researchers and threat actors to reproduce the exploit, BleepingComputer said.

“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March – they are more exploitable, and organizations largely haven’t patched,” Beaumont wrote in a blog post. “They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come.”

Sponsored post

[Related: Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress]

Microsoft didn’t immediately respond to a CRN request for comment Monday. The Redmond, Wash.-based software giant told CRN Friday that customers who’ve applied the latest Microsoft updates are already protected against the ProxyShell vulnerabilities.

When breaching a network, adversaries like LockFile will first access the on-premise Microsoft Exchange server using the ProxyShell flaws. From there, LockFile uses the incompletely patched PetitPotam vulnerability to gain access to the domain controller and then spread across the network, Symantec reported Friday. Once hackers control the Windows domain, it’s easy for them to deploy ransomware.

LockFile was first observed on the network of a U.S. financial organization on July 20, with its latest activity seen as recently as Friday, Symantec wrote in a blog post. Victims of LockFile are primarily based in the United States and Asia, and can be found in verticals such as manufacturing, financial services, engineering, legal, business services, and travel and tourism, according to Symantec.

“New surge in Microsoft Exchange server exploitation underway,” Rob Joyce, director of cybersecurity at the National Security Agency (NSA), wrote at Twitter at 6:58 a.m. ET Saturday. “You must ensure you are patched and monitoring if you are hosting an instance.”

Huntress has observed 164 vulnerable Exchange servers get compromised between Thursday and Sunday, with 13 of those exploitations taking place over the weekend, according to John Hammond, senior security researcher for the Ellicott City, Md.-based managed detection and response (MDR) vendor. Hammond first warned Thursday that attackers were scanning for vulnerable Exchange servers.

“Of the original 1,900 vulnerable Exchange servers from Friday night, we still see 1,764 that are unpatched as of right now,” Hammond wrote in an update at 8:24 p.m. ET Sunday. “This is fairly concerning since we are starting to see active post-exploitation behavior that includes coinminers and ransomware.”

When analyzing one host that was compromised with both ProxyShell and LockFile ransomware, Huntress uncovered a unique configuration it hadn’t seen before for ProxyShell activity, Hammond said. Specifically, the configuration file for the Exchange internet service was modified to include a new “virtual directory,” which essentially redirects one URL endpoint to another location on the filesystem.

“This allows a threat actor to hide a webshell in other uncommon and nonstandard locations, outside of the typically monitoring ASP directories,” Hammond wrote in an update at 10:53 a.m. ET Monday. “If you don’t know to look for this, this is going to slip under the radar and the hackers will persist in the target environment.”

Many U.S. government systems remains unpatched for ProxyShell, with hundreds of internet-facing systems with *.gov SSL certificate hostnames still directly exploitable, Beaumont wrote Saturday. Beaumont – who left Microsoft in April – criticized the company for downplaying the importance of the ProxyShell patches and for not compensating researchers who discover flaws in on-premise Exchange.

“Ask Microsoft to talk about threats against their own products as they would with other vendor’s products,” Beaumont wrote in his blog post. “During this period, Microsoft have [sic] been openly detailing how to exploit vulnerabilities in other vendor’s products, but have completely failed to deal with their own problems.”

David Stinner, president of US itek, a Buffalo, New York MSP, said the new LockFile ransomware attacks using ProxyShell vulnerabilities are yet another sign that business owners need to upgrade old technology and move to the cloud.

“This proves to business owners they can’t sit on this old technology and run it for years and years like they did in the pre-ransomware landscape,” he said. “MSPs need to be on alert to find these vulnerabilities and patch their customers to prevent ransomware.”

The problem is many business owners are not willing to pay more for cybersecurity protection, said Stinner. “Business owners are notoriously cheap and don’t understand the critical nature of IT systems in operating their business,” he said. “MSPs need to put all their customers on SIEM (Security Information and Event Management) monitoring with a 24 hour SOC (Security Operations Center) to be able to react before they are ransomed and critical customer data is lost or breached.”

Stinner said staying on premise begs the question of who has more resources to bring to bear to secure customer email: Microsoft or MSPs themselves?

“Of course, it is Microsoft,” he said. “They provide a while different level of protection than MSPs could with an on-premise Exchange server, which is the responsibility of the customer or the MSP to update with patches.”

Additional reporting by Steven Burke