Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Microsoft Exchange Servers Being Hacked by New LockFile Ransomware

A new Ransomware gang named LockFile has emerged. The group encrypts files on Windows domains after hacking into Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. Proxyshell is a collection of three vulnerabilities that are used to take control of Microsoft Exchange servers. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were all patched in May 2021 although many organizations that use Exchange have not updated, and the threat level recently became more severe because more technical details were disclosed allowing the exploit to be duplicated. The LockFile threat group has been reported to have used the “PetitPotam” attack method to completely take over Domain Controllers after gaining initial access to Exchange servers via Proxyshell.  The leak site for LockFile looks very similar to the LockBit leak site although that appears to be the only similarity. The contact information on the leak site lists [email protected] as the group’s email address, which may indicate that the LockFile group claims a relationship to (or contrast from) the Conti ransomware operation.

Analyst Notes

To mitigate the ProxyShell vulnerabilities, organizations should install the latest Microsoft Exchange cumulative updates as soon as possible. Exchange servers are easy for threat actors to find if they are connected to the Internet, and any serious vulnerability in Exchange is likely to be exploited. Binary Defense Analysts monitor the Darknet daily, and even with the increased government and law enforcement scrutiny on combatting ransomware, new ransomware groups are emerging at all the time. Organizations need to be proactive in improving their security posture to contend with the multiple types of cyber threats. To protect against cyber threats and data breaches, organizations should have an incident response plan in place. A detailed plan should include digital forensics response activation and notification procedures for a cyber incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through insecure Internet-facing remote services or phishing. Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites. When an attack makes it through the outer layers of defense, it is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.