New LockFile ransomware targets Windows systems through vulnerabilities in ProxyShell and PetitPotam

 Once the network is compromised, hackers gain access to Microsoft Exchange through ProxyShell and then take control of the domain through PetitPotam.

The new LockFile Cyber ransomware gang encrypts Windows domains after hacking the renowned ProxyShell vulnerabilities and obtaining access to the domain controller via the PetitPotam vulnerability. The vulnerability is not available.

Senior security researchers at Devcore Orange Tsai, who used it to breach a Microsoft Exchange server during the Pwn2Own competition in April 2021, have identified three ProxyShell vulnerabilities.

Access Control list: CVE-2021-34473 (ACL Bypass). Set update KB5001779 in April 2021;

CVE-2021-34523 - Exchange PowerShell Backend privilege escalation. Set to KB5001779 in April 2021;

Remote Code Running. CVE-2021-31207. Update KB5003435 fixed on May 2021.

The operators of new ransomware have started abusing the vulnerabilities of ProxyShell and PetitPotam in hacking windows domains to encrypt devices farther in the network, according to security researcher Kevin Beaumont.

After the network has been hacked, hackers have access through vulnerabilities in ProxyShell to local Microsoft Exchange servers. They take over the domain controller and, consequent, the Windows domain by establishing a foothold in the network. they exploit the PetitPotam vulnerability. Next, the attackers dispersed throughout the network, stated information security specialists Symantec.

Little is currently known about LockFile's cyber ransomware organisation. First documented in July 2021 was ransomware. He placed a ransom letter in the LOCKFILE-README.hta file on the systems he targeted. However, a malware dubbed LockFile was reported since last week. The ransomware will append the extension.lockfile to the file name while encrypting data.