Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam
Description
FortiGuard Labs is aware of reports that previously unseen ransomware "LockFile" is being distributed using ProxyShell and PetitPotam. The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller which then enables them to deploy the LockFile ransomware onto the network.
What is The Issue?
A new ransomware dubbed LockFile is being distributed using ProxyShell and PetitPotam, which Microsoft recently released fixes for. Proof-of-Concept code for ProxyShell is publicly available as such attacks are getting increasingly popular.
How does the Attack Work?
The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller, which then enables the release of the LockFile ransomware onto the network.
What is ProxyShell and PetitPotam?
ProxyShell is a name for a Microsoft Exchange exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows the attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.
PetitPotam (CVE-2021-36942) is a NTLM (NT LAN Manager) relay attack that allows the attacker to take control of a Windows domain with the Active Directory Certificate Service (AD CS) running.
FortiGuard Labs previously posted Threat Signals on ProxyShell and PetitPotam. See the Appendix for the links to the relevant Threat Signals.
Are the Patches Available for ProxyShell and PetitPotam?
Three vulnerabilities that consists ProxyShell are already patched as the following:
CVE-2021-34473 and CVE-2021-34523: Microsoft released a patch as part of April 2021 MS Tuesday.
CVE-2021-31207: Microsoft released a patch as part of May 2021 MS Tuesday.
CVE-2021-36942 is dubbed PetitPotam and is patched by Microsoft as part of August 2021 MS Tuesday.
Microsoft has also provided mitigation for PetitPotam. See the Appendix for a link to "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services".
What is LockFile ransomware?
LockFile is a previously unseen ransomware that first appeared in late July, 2021.
Just like any other ransomware, LockFile encrypts files on the compromised system, asks the victim to access the attacker's onion site and demands ransom in order to recover the encrypted files.
What is the Status of Coverage?
FortiGuard Labs have the following AV coverage against the attack:
W64/KillProc.M!tr
W32/Agent.QH!exploit
W32/PetitPotam.A!exploit
Riskware/KernelDrUtil.E
Riskware/KDU
FortiGuard Labs have the following IPS coverage against ProxyShell and PetitPotam:
- MS.Exchange.Server.Autodiscover.Remote.Code.Execution
- MS.Windows.Server.NTLM.Relay.Spoofing (initial action is set to "pass")
FortiEDR detects and blocks Proxyshell attacks out of the box without any prior knowledge or special configuration beforehand.
All known network IOC's are blocked by the FortiGuard WebFiltering Client.
Any Other Suggested Mitigation?
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Appendix
KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (Microsoft)
CVE-2021-34473 (Microsoft)
CVE-2021-34523 (Microsoft)
CVE-2021-31207 (Microsoft)
PetitPotam NTLM relay attack allows attackers to take over Windows domains (Fortinet)
Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell (Fortinet)
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers (Symantec)