Windows Exchange servers hit by LockBit ransomware

LockBit ransomware deployed on compromised Windows Exchange Server

Image:
LockBit ransomware deployed on compromised Windows Exchange Server

Hackers likely used a new zero-day to compromise Exchange servers, researchers believe

Researchers at South Korean cybersecurity firm AhnLab have issued a warning about an ongoing campaign by malicious actors to compromise Microsoft Exchange servers in order to distribute the LockBit 3.0 ransomware.

LockBit 3.0 is a dangerous malicious ransomware program capable of encrypting and exfiltrating all data stored on an infected system. It replaces LockBit 1.0 and 2.0 as the latest strain in the LockBit ransomware-as-a-service (RaaS) family.

This specific ransomware variant was initially identified in the spring of 2022 and has since gained widespread adoption among hackers.

In addition to encrypting and exfiltrating data, LockBit 3.0 may also deactivate certain services on infected systems to make the exfiltration process easier. Once the victim's data is encrypted, the infected device's wallpaper changes to alert the target that they have been targeted.

The AhnLab researchers say they found two Windows Server 2016 Standard servers hosted by a client infected with LockBit 3.0 ransomware in July 2022.

The hackers initially deployed web shell on compromised servers, and were able to escalate their privileges to Active admin in just seven days. From there, they stole around 1.3 TB of data before encrypting systems on the network.

This particular client was earlier targeted and compromised through Microsoft Exchange Server bugs in December 2021.

The researchers believe the most recent attack on their client's Exchange servers was likely conducted using an "undisclosed zero-day vulnerability" given that the victim obtained technical support from Microsoft to update quarterly security patches after December 2021 hack.

"Among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation," AhnLab explained.

According to the researchers, it's possible that the attackers made advantage of CVE-2022-41040 and CVE-2022-41082, two recently identified vulnerabilities known as "ProxyNotShell".

However, based on a number of factor, including the attack method, the file names, and the subsequent attacks, the AhnLab researchers said that the attacker mostly likely used a distinct zero-day vulnerability.

Cybersecurity expert Kevin Beaumont and other well-known professionals disagree with that assertion and say a zero-day is unlikely.

"There's a lot going on in this report about LockBit ransomware, and I'm not convinced it's a zero day (there's no evidence in report), but one to keep an eye on," Beaumont tweeted.

Will Dormann emphasised that the AhnLab analysis did not point to a new zero-day.

"So far I've only skimmed a translated version of the page, but what evidence is provided that it's a different vulnerability?" he added.

At least three vulnerabilities in Microsoft Exchange that were found by Zero Day Initiative vulnerability researcher Piotr Bazydlo have not yet been fixed, according to Bleeping Computer.

The three issues were reported on September 20, 2022, and are identified by ZDI as ZDI-CAN-18881, ZDI-CAN-18882, and ZDI-CAN-18932.

This week, Microsoft received some criticism from security experts for not releasing patches for ProxyNotShell flaws (CVE-2022-41040 and CVE-2022-41082) that are now being used by state-backed groups.

The vulnerabilities were made public by Vietnamese cybersecurity firm GTSC in late September after they spotted and reported the attacks.

Microsoft said it was speeding up work on official fixes for these issues, and advised users to enable certain settings to lessen the danger from the attacks.