"LockFile Ransomware Attacks Exploit ProxyShell Vulnerabilities on Unpatched Microsoft Exchange Servers"
The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency alert pertaining to the active exploitation of Microsoft Exchange ProxyShell vulnerabilities by threat actors in the wild. ProxyShell is a set of vulnerabilities discovered by DevCore security researcher Orange Tsai and demonstrated at the August Black Hat security conference. The cybersecurity firm Huntress also found more than 140 webshells executed against 1,900 unpatched Exchange servers. According to a security researcher at Huntress, organizations that have been impacted include manufacturing, seafood processors, auto repair shops, industrial machinery, a small residential airport, and more. Several other researchers also detected malicious activity involving the exploitation of ProxyShell vulnerabilities for the potential launch of LockFile ransomware attacks. Threat actors have dropped webshells using ProxyShell vulnerabilities to gain persistent access on affected Microsoft Exchange servers. The webshells were used to install backdoors for LockFile ransomware attacks as well as launch Petitpotam attacks to hijack servers. This article continues to discuss the weaponization of ProxyShell vulnerabilities for potential LockFile ransomware attack execution.