Researchers are warning of a new ransomware variant spreading globally by way of exploitation of the “PetitPotam” vulnerability partly patched by Microsoft last 7 days.
Symantec said the “LockFile” variant was very first noticed on July 20 in an attack on a US financial providers firm and has subsequently specific at the very least ten corporate victims all-around the world up to August 20.
Attacks commence by accessing victims’ Microsoft Exchange servers, although this vector is not nonetheless clear.
Times following this preliminary obtain was proven, menace actors set up a established of applications to the compromised server, together with an exploit for CVE-2021-36942 (PetitPoam) and more information designed to down load shell code to help with the exploitation.
To start with found by a French researcher all-around a month in the past, PetitPotam is an NTLM relay attack vulnerability that an attacker can use with very low privileges to just take around a domain controller.
It is been reported that Microsoft’s Patch Tuesday fix for the bug has not completely patched the vulnerability.
“Once obtain has been attained to the regional domain controller, the attackers duplicate over the LockFile ransomware, along with a batch file and supporting executables, on to the area controller. These files are copied into the ‘sysvoldomainscripts’ directory,” Symantec spelled out.
“This directory is utilised to deploy scripts to network clients when they authenticate to the domain controller. This implies that any clientele that authenticate to the domain after these files have been copied around will execute them.”
The security big extra that despite the fact that LockFile appears to be a new ransomware variant, it could have back links to “previously seen or retired threats.”
Both of those DarkSide and REvil/Sodinokibi operations have long gone silent in current months after substantial-profile affiliate attacks set them in the media spotlight and underneath the scrutiny of the US governing administration.
The menace actors powering LockFile use a likewise developed ransom take note to that made use of by the LockBit gang and reference the Conti team in the email deal with they use for communications.
Some components of this short article are sourced from: