Home » Technology » Microsoft » Ransom Attacks On Microsoft Exchange Servers Witnessed Globally

Ransom Attacks On Microsoft Exchange Servers Witnessed Globally

Microsoft Exchange

It’s not new, it was started a few months back, and hardly a week goes by now without new reports of attacks on unpatched Exchange servers. The next stage now follows: the attackers distribute ransomware, which initially takes up system resources and paralyzes the computer.

The group of hackers, known as LockFile, encrypts Windows domains after breaking into Microsoft Exchange servers that have not yet been updated using the recently discovered ProxyShell vulnerabilities. The new wave of blackmail exploits two vulnerabilities, on the one hand, the Microsoft Exchange ProxyShell and on the other the Windows PetitPotam vulnerability. ProxyShell is the name of an attack that consists of three concatenated Microsoft Exchange vulnerabilities that allow unauthenticated remote code execution.

Although Microsoft has fully patched these vulnerabilities, more and more technical details are emerging that allow security researchers and threat actors to reproduce the vulnerability. According to the report by Bleeping Computer, this has led to increased attacks on unsecured Exchange servers worldwide. Such a wave was feared last week.

The back door is now in use

Cyber ​​gangsters actively look for Microsoft Exchange servers that are vulnerable and install a backdoor which in turn is used to upload and run other programs. When the threat actors enter a network, they first access the on-site Microsoft Exchange server via the ProxyShell vulnerabilities. As soon as they have gained a foothold, according to the security researchers at Symantec, the LockFile gang uses the PetitPotam vulnerability to take over a domain controller and thus the Windows domain.

This makes it easy to distribute the ransomware throughout the network. When encrypting the systems, the ransomware adds the extension .lockfile to the name of the encrypted file. These types of attacks and extortion are currently increasing. How widespread LockFile is already is currently unclear.