Microsoft has recently fixed a severe vulnerability that could allow PetiPotam NTLM relay attacks. However, despite the fix, it is still under active exploitation in the wild. Researchers have found a new ransomware LockFile exploiting PetiPotam vulnerability to attack Windows domains.
LockFile Ransomware Exploiting PetiPotam Attack
According to a recent post from Symantec, their researchers have found new ransomware, “LockFile,” exploiting the PetiPotam attack strategy. The attackers are exploiting the flaw to takeover target organizations’ networks and hijack Windows domains.
Specifically, the PetiPotam NTLM relay was highlighted last month after a researcher discovered and explained the problem. Soon after, Microsoft issued detailed instructions on mitigating the flaw that specifically involved disabling NTLM when not in use.
Then, Microsoft patched the vulnerability with August Patch Tuesday updates.
However, it seems attackers still have enough time to devise ways to exploit the attack, especially, given the usual practice of slow and ignorant updates at organizations and the fact that Microsoft still has to struggle with blocking all PetiPotam variants.
About The Attack
Briefly, the attack begins when the attackers compromise Microsoft Exchange servers to access the target network. For this, they exploit ProxyShell vulnerabilities (CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523 that Microsoft finally addressed in May and July, respectively).
Once done, they then proceed to establish on the network before beginning the ransomware attack. Then, about half an hour before executing the ransomware, the attackers deploy more tools to the compromised Exchange servers, including the PetiPotam exploit.
After taking control of the domain controller, they deploy and execute the ransomware. As explained,
Once access has been gained to the local domain controller, the attackers copy over the LockFile ransomware, along with a batch file and supporting executables, onto the domain controller. These files are copied into the “sysvol\domain\scripts” directory. This directory is used to deploy scripts to network clients when they authenticate to the domain controller. This means that any clients that authenticate to the domain after these files have been copied over will execute them.
The new ransomware is active in the wild, targeting victims. However, it presently remains unclear if it has had any big names on its victim list yet. Also, its approximate demand for ransom amount remains currently unknown.
Let us know your thoughts in the comments.