Threat Signal Report

Brand New LockFile Ransomware Distributed Through ProxyShell and PetitPotam

Description

FortiGuard Labs is aware of reports that previously unseen ransomware "LockFile" is being distributed using ProxyShell and PetitPotam. The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller which then enables them to deploy the LockFile ransomware onto the network.


What is The Issue?

A new ransomware dubbed LockFile is being distributed using ProxyShell and PetitPotam, which Microsoft recently released fixes for. Proof-of-Concept code for ProxyShell is publicly available as such attacks are getting increasingly popular.


How does the Attack Work?

The attacker gains a foothold into the victim's network using ProxyShell, then uses PetitPotam to gain access to the domain controller, which then enables the release of the LockFile ransomware onto the network.


What is ProxyShell and PetitPotam?

ProxyShell is a name for a Microsoft Exchange exploit chain (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) that allows the attacker to bypass ACL controls, elevate privileges and execute remote code on the compromised system.

PetitPotam (CVE-2021-36942) is a NTLM (NT LAN Manager) relay attack that allows the attacker to take control of a Windows domain with the Active Directory Certificate Service (AD CS) running.


FortiGuard Labs previously posted Threat Signals on ProxyShell and PetitPotam. See the Appendix for the links to the relevant Threat Signals.


Are the Patches Available for ProxyShell and PetitPotam?

Three vulnerabilities that consists ProxyShell are already patched as the following:

CVE-2021-34473 and CVE-2021-34523: Microsoft released a patch as part of April 2021 MS Tuesday.

CVE-2021-31207: Microsoft released a patch as part of May 2021 MS Tuesday.


CVE-2021-36942 is dubbed PetitPotam and is patched by Microsoft as part of August 2021 MS Tuesday.

Microsoft has also provided mitigation for PetitPotam. See the Appendix for a link to "KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services".


What is LockFile ransomware?

LockFile is a previously unseen ransomware that first appeared in late July, 2021.

Just like any other ransomware, LockFile encrypts files on the compromised system, asks the victim to access the attacker's onion site and demands ransom in order to recover the encrypted files.


What is the Status of Coverage?

FortiGuard Labs have the following AV coverage against the attack:


W64/KillProc.M!tr

W32/Agent.QH!exploit

W32/PetitPotam.A!exploit

Riskware/KernelDrUtil.E

Riskware/KDU


FortiGuard Labs have the following IPS coverage against ProxyShell and PetitPotam:


MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution

MS.Windows.Server.NTLM.Relay.Spoofing (initial action is set to "pass")


FortiEDR detects and blocks Proxyshell attacks out of the box without any prior knowledge or special configuration beforehand.


All known network IOC's are blocked by the FortiGuard WebFiltering Client.


Any Other Suggested Mitigation?

Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.