What you need to know
- A new ransomware attack known as LockFile is targeting Microsoft Exchange servers.
- LockFile exploits a series of vulnerabilities in Microsoft Exchange known as ProxyShell, according to security researchers.
- If successful, LockFile can be used to spread ransomware throughout a network.
LockFile utilizes an exploit known as PetitPotam, according to Symantec. While it's believed that attackers gain access to a network through Microsoft Exchange servers and then use the PetitPotam vulnerability, Symantec says it's "not clear how the attackers gain initial access to the Microsoft Exchange Servers."
In contrast to Symantec's statement, DoublePulsar reports that the attack exploits vulnerabilities in Microsoft Exchange known as ProxyShell.
Bleeping Computer explains that ProxyShell consists of "three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution." These vulnerabilities were initially discovered by Orange Tsai.
Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been able to reproduce the exploit.
The latest Microsoft Exchange cumulative updates patch the ProxyShell vulnerabilities used in these attacks. Microsoft does not have a full patch for the PetitPotam attack.
The Cybersecurity & Infrastructure Security Agency also has an advisory on the vulnerabilities:
Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.
