Published: Aug 23, 2021
The LockFile ransomware group has been actively launching attacks against Microsoft Exchange Servers, exploiting three vulnerabilities that were patched by Microsoft in April and May this year. Known as the Exchange Server ProxyShell vulnerabilities, the LockFile group uses them, in conjunction with the Windows PetitPotam vulnerabilities that were partially patched in the round of updates on Patch Tuesday earlier this month, to hijack Windows domains.
The three Microsoft Exchange Server vulnerabilities, which you can see listed below, were reported by Orange Tsai, a security researcher at Devcore. LockFile has been able to weaponize the flaws in Exchange because more technical details were recently released.
Exploiting unpatched Exchange Servers allows LockFile to drop web shells that are used to upload malicious code to the servers and then run it. When combined with the PetitPotam vulnerabilities that are still not fully patched by Microsoft, LockFile is able to take over Windows Active Directory domains and encrypt servers and other devices. It’s then easy for the group to distribute ransomware across an entire network.
While Microsoft hasn’t completely closed the NTLM Relay flaws in PetitPotam, making sure your Exchange Servers are patched with the latest cumulative updates, which you can find on Microsoft’s website here, is critical to stop LockFile getting a foothold on your network.
Microsoft released a fix for PetitPotam, otherwise known as CVE-2021-36942. The fix blocks the LSARPC interface, potentially impacting organizations still running Windows Server 2008 SP2 that use the Encrypted File System (EFS).
You should apply the fix to domain controllers first and then follow the instructions in KB5005413 to mitigate attacks on servers with the Active Directory Certificate Services (AD CS) Certificate Authority Web Enrollment and Certificate Enrollment Web Service installed.
In a recent advisory, Microsoft says about PetitPotam:
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413* instruct customers on how to protect their AD CS servers from such attacks.
You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services: