Nasty new malware targets Microsoft Exchange servers

Ransomware operators are once again going after Microsoft Exchange servers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A newransomwareoperator known as LockFile encrypts Windows domains after breaking into vulnerableMicrosoft Exchangeservers using the recently disclosed ProxyShell exploit.

ProxyShell is the collective name of the exploit that consists of three chained vulnerabilities inMicrosoft’s popular hostedemailserver vulnerabilities that give attackers unauthenticated, remote code execution powers.

While Microsoft fully patched these vulnerabilities in May 2021, more technical details were shared at the recently concluded Black Hat 2021 bycybersecurityresearcher Orange Tsai, who discovered the ProxyShell vulnerabilities.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

BleepingComputerreports that the new details shared by Tsai allowed both security researchers and threat actors toreproduce the exploit.

Ransomware on Exchange

Following the talk, security researcher Kevin Beaumont noticed thatthreat actors began probinghis Microsoft Exchange honeypot for the ProxyShell vulnerabilities once again.

Another security researcher Rich Warren, whose Exchange honeypot was also probed using the new attack vector, toldBleepingComputerthat while the initial payload deployed by the attackers on vulnerable servers was benign, it would soon be swapped out with something a lot more malicious, once the attackers have managed to break into enough servers.

His fears have now come true.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Beaumontnow reportsthat a new ransomware operation known as LockFile uses ProxyShell to compromise the Exchange servers and then exploits theWindows PetitPotam vulnerabilitiesto take over Windows domains in order to encrypt devices.

First seen in July,BleepingComputersays there is very little known about the LockFile ransomware as of now. In any case, security experts urge users to immediately patch their Exchange servers by installing the latest cumulative updates.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set