Microsoft Exchange Servers Hacked by New Ransomware Gang via ProxyShells Vulnerabilities—How to Avoid

Microsoft Exchange's servers were hacked by the new ransomware group that goes by the name LockFile via the ProxyShell vulnerabilities that were recently discovered.

Microsoft Exchange Servers Hacked by New Ransomware Gang via ProxyShells Vulnerabilities
A Microsoft logo adorns a building in Chevy Chase, Maryland on May 19, 2021. - Microsoft said it is retiring Internet Explorer, the browser it created more than 25 years and which is now largely abandoned as people instead use competitors like Google's Chrome or Apple's Safari. by EVA HAMBACH/AFP via Getty Images

Microsoft Exchange Servers Hack

As per BleepingComputer, LockFile went on to encrypt the Windows domains after accessing the servers of the Microsoft Exchange, which is a crucial one because it is both the email and calendaring server of the tech giant.

It is not the Microsoft Exhange Server has been a victim of a cyberattack, criminal minds also infiltrated its vulnerabilites last May 31.

Another Microsoft Exchange hacked occured last March 24.

Meanwhile, The Hacker News added that the ransomware incident has already affected about 1,900 Microsoft Exchange servers in total.

The CEO of Huntress Labs, Kyle Hanslovan, further revealed that the cyberattack has already affected industries such as seafood processors, auto repair shops, a quaint residential airport, industrial machinery, and building manufacturing, among others.

As of writing, about 100 incident reports have been filed concerning the Microsoft Exchange exploit from Aug. 17 up to Aug. 18, as per Huntress Labs researchers.

ProxyShells Vulnerabilities

It is worth noting that the ProxyShell vulnerabilities used in the hack have recently been unraveled by the Devcore Principal Security Researcher, known as Orange Tsai, during the Pwn2OWn 2021 hacking contest last April.

To be precise, the ProxyShell vulnerabilities are known as the CVE-2021-34473 or the Pre-auth Path Confusion leads to ACL Bypass, CVE-2021-34523, or the Elevation of Privilege on Exchange PowerShell Backend, and the CVE-2021-31207 or the Post-auth Arbitrary-File-Write leads to RCE.

Although Microsoft has already fully patched all of these flaws way back in May, its further details have just been unveiled recently.

As such, some criminal minds went on to create another similar exploit, enabling hackers to scan and hack the Microsoft Exchange servers.

LockFile Ransomware Gang: Who are They

The new kid on the block first marked its existence via a ransom note that they left, which carries the file name "LOCKFILE-README.hta."

However, despite its name on the note, the actual message was not signed by the group, nor did it sport any branding.

But recently, or starting last week to be exact, Bleeping Computer noted in the same report that LockFile has been incorporating their branding within their latest ransom notes.

This time around, aside from the ransomware gang's moniker on the file name of the note, its header also reads "Lock File."

Microsoft Exchange Servers Proxy Shell Vulnerabilities: How to Avoid

Given that Lockfile is using Microsoft Exchange ProxyShell vulnerability, users are best to install the latest update of Windows.

The latest update of the Microsoft Exchange has already patched the ProxyShell vulnerability.

That said, businesses relying on Microsoft Exchange should update in the soonest time possible to avoid facing the same fate as the ransomware victims.

This article is owned by Tech Times

Written by Teejay Boris

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics