One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 7284044 |
| Date de publication | 2022-10-02 22:03:46 (vue: 2022-10-03 06:07:34) |
| Titre | Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam |
| Texte | FortiGuard Labs is aware of reports that previously unseen ransomware "LockFile" is being distributed using ProxyShell and PetitPotam. The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller which then enables them to deploy the LockFile ransomware onto the network.What is The Issue?A new ransomware dubbed LockFile is being distributed using ProxyShell and PetitPotam, which Microsoft recently released fixes for. Proof-of-Concept code for ProxyShell is publicly available as such attacks are getting increasingly popular.How does the Attack Work?The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller, which then enables the release of the LockFile ransomware onto the network.What is ProxyShell and PetitPotam?ProxyShell is a name for a Microsoft Exchange exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows the attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.PetitPotam (CVE-2021-36942) is a NTLM (NT LAN Manager) relay attack that allows the attacker to take control of a Windows domain with the Active Directory Certificate Service (AD CS) running.FortiGuard Labs previously posted Threat Signals on ProxyShell and PetitPotam. See the Appendix for the links to the relevant Threat Signals.Are the Patches Available for ProxyShell and PetitPotam?Three vulnerabilities that consists ProxyShell are already patched as the following: CVE-2021-34473 and CVE-2021-34523: Microsoft released a patch as part of April 2021 MS Tuesday.CVE-2021-31207: Microsoft released a patch as part of May 2021 MS Tuesday.CVE-2021-36942 is dubbed PetitPotam and is patched by Microsoft as part of August 2021 MS Tuesday.Microsoft has also provided mitigation for PetitPotam. See the Appendix for a link to "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services".What is LockFile ransomware?LockFile is a previously unseen ransomware that first appeared in late July, 2021.Just like any other ransomware, LockFile encrypts files on the compromised system, asks the victim to access the attacker's onion site and demands ransom in order to recover the encrypted files.What is the Status of Coverage?FortiGuard Labs have the following AV coverage against the attack:W64/KillProc.M!trW32/Agent.QH!exploitW32/PetitPotam.A!exploitRiskware/KernelDrUtil.ERiskware/KDUFortiGuard Labs have the following IPS coverage against ProxyShell and PetitPotam:MS.Exchange.Server.Autodiscover.Remote.Code.ExecutionMS.Windows.Server.NTLM.Relay.Spoofing (initial action is set to "pass")FortiEDR detects and blocks Proxyshell attacks out of the box without any prior knowledge or special configuration beforehand. All known network IOC's are blocked by the FortiGuard WebFiltering Client.Any Other Suggested Mitigation?Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network. |
| Envoyé | Oui |
| Condensat | 2021 31207 31207: 34473 34523 34523: 36942 access acl action active addressed against all allows already also any appeared appendix april are asks attack attack:w64/killproc attacker attackers attacks august autodiscover available aware beforehand being blocked blocks box brand bypass certificate chain client code compromised concept configuration consists control controller controls coverage cve daily damage date demands deploy detects directory disruption distributed does domain dubbed due ease elevate enables encrypted encrypts ensure eriskware/kdufortiguard establishing etc exchange execute executionms exploit exploitriskware/kerneldrutil exploitw32/petitpotam files first fixes following following: foothold fortiedr fortiguard gain gains getting has have how identifiable important increasingly information initial ioc ips issue july just kb5005413: keep knowledge known labs lan late like link links lockfile manager may microsoft mitigating mitigation name network new ntlm onion onto operations order organization other out part pass patch patched patches personally petitpotam petitpotam:ms pii popular posted potential previously prior privileges proof protect provided proxyshell publicly ransom ransomware recently recover relay release released relevant remote reports reputation running see server service services set signals signatures site special spoofing status such suggested system take them then threat three through trw32/agent tuesday unseen unwanted updated uses using vendor victim vulnerabilities webfiltering what which windows within without work |
| Tags | Ransomware Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.