Categories: Gadgets

Microsoft Exchange Under Attack as a Ransomware Lockfile Target Server

Security researchers claimed to have found a new Ransomware family called Lockfile which seemed to be the same as those used before to attack Microsoft exchange servers in the US and Asia.
According to Symantec, Ransomware, who previously invisible had reached at least 10 companies in the ongoing campaign.
These targets are cross-industrial.
Ransomware Lockfile was first observed on the US financial organization network on July 20, 2021, with its latest activities seen recently as August 20.
How new attacks work per Symantec, there are signs that attackers get access to network victims through the Microsoft Exchange server, and then use petitpotam vulnerabilities that are not patched to get access to domain controllers, and then spread throughout the network.
So far it is not clear how the attackers gained initial access to the Microsoft exchange server.
In accordance with the Cybersecurity and US Infrastructure Security Agency (CISA), “actor Cyber ​​Malerious actively exploited the following proxyshell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
A attacker who exploits this vulnerability Executed.
Arbitrary code on a vulnerable machine.
Cisa is very urgent organizations to identify the system vulnerable to their network and immediately apply Microsoft security updates from May 2021 – which transfers the three proxyshell vulnerabilities – to protect from this attack.
“The attackers behind Ransomware It is said to use a ransom with similar designs with those used by Lockbit Ransomware gangs and reference to the conti gang at the email address they use, contact@contipauper.com.
According to the report, it is usually around 20 to 30 minutes before mobilizing ransomware, the attackers attach a set of tools to the comrocated Exchange server.
This includes: * Exploitation for CVE-2021-36942 vulnerability (aka petitpotam).
This code seems copied from https://github.com/zcgonvh/efspotato.
This is in a file called “Efspotato.exe”.
* Two File: Active_Desktop_Render.dll and Active_Desktop_Launcher.exe Shellcode encrypted, however, it is very possible to activate the EFSPotato.exe file that exploits petitpotam vulnerabilities.
It was patched in the release of Microsoft August Patch Tuesday, but later it appeared that the repairs released were reported not fully patching vulnerabilities.
Companies are attacked including those in manufacturing, financial services, engineering, law, business services, and travel sectors and tourism.

news2in

Share
Published by
news2in

Recent Posts

44 ordered to attack the procession

Ludhiana: The police have submitted FIR to four identified and at least 40 unknown attackers…

3 years ago

Punjab: Police Reject conspiracy theory in the case of Deep Sidhu

Sonīpat / Ludhiana / Ambala: Actor Punjabi - Activist Activist Deep Sidhu, who died in…

3 years ago

Punjab: Hidden Strength Working Behind PM Narendra Modi, Arvind Kejriwal, said Rahul Gandhi

PATIALA / MANSA / BARNALA: Attacking Prime Minister Narendra Modi and AAP National Convener Kejriawal,…

3 years ago

BJP made AAP to endanger the Congress, said Ajay

Jalandhar: BJP and AAM AAM AADMI parties are one party, Secretary General of the Ajay…

3 years ago

Our job is to make Punjab No. 1 State: Meenakshi Lekhi

Ludhiana: Minister of Union Culture Meenakshi Lekhi while campaigning to support the BJP candidate from…

3 years ago

Feb 20 is an opportunity to change the destiny of Punjab and his children: Bhagwant Mann

Machhiwara (Ludhiana): AAM AAM AADMI Party (AAP) Head of Punjab Candidate and Members of Parliament…

3 years ago