Patch Microsoft Exchange Servers Now to Stop LockFile Ransomware
The LockFile ransomware group has been actively launching attacks against Microsoft Exchange Servers, exploiting three vulnerabilities that were patched by Microsoft in April and May this year. Known as the Exchange Server ProxyShell vulnerabilities, the LockFile group uses them, in conjunction with the Windows PetitPotam vulnerabilities that were partially patched in the round of updates on Patch Tuesday earlier this month, to hijack Windows domains.
The three Microsoft Exchange Server vulnerabilities, which you can see listed below, were reported by Orange Tsai, a security researcher at Devcore. LockFile has been able to weaponize the flaws in Exchange because more technical details were recently released.
- CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass
- CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend
- CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE
Exploiting unpatched Exchange Servers allows LockFile to drop web shells that are used to upload malicious code to the servers and then run it. When combined with the PetitPotam vulnerabilities that are still not fully patched by Microsoft, LockFile is able to take over Windows Active Directory domains and encrypt servers and other devices. It’s then easy for the group to distribute ransomware across an entire network.
While Microsoft hasn’t completely closed the NTLM Relay flaws in PetitPotam, making sure your Exchange Servers are patched with the latest cumulative updates, which you can find on Microsoft’s website here, is critical to stop LockFile getting a foothold on your network.
Microsoft released a fix for PetitPotam, otherwise known as CVE-2021-36942. The fix blocks the LSARPC interface, potentially impacting organizations still running Windows Server 2008 SP2 that use the Encrypted File System (EFS).
You should apply the fix to domain controllers first and then follow the instructions in KB5005413 to mitigate attacks on servers with the Active Directory Certificate Services (AD CS) Certificate Authority Web Enrollment and Certificate Enrollment Web Service installed.
In a recent advisory, Microsoft says about PetitPotam:
To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413* instruct customers on how to protect their AD CS servers from such attacks.
You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
More in Security
Microsoft Defender Vulnerability Management Now Supports Firmware Assessments
Nov 29, 2022 | Rabia Noureen
Microsoft Entra Workload Identities Service is Now Generally Available
Nov 29, 2022 | Rabia Noureen
Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023
Nov 21, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Network Protection on iOS and Android
Nov 11, 2022 | Rabia Noureen
What is a Software-Defined Perimeter?￼
Nov 11, 2022 | Sukesh Mudrakola
Microsoft Defender for Business Adds Server Protections for SMBs
Nov 10, 2022 | Rabia Noureen
Most popular on petri