LockBit Ransomware Spread through Microsoft Exchange Servers

Microsoft is once again confronted with reports of a new zero-day vulnerability being used to hack Exchange servers which might have led to the launch LockBit ransomware attacks.

In July 2022, two servers operated by a customer of the South Korean AhnLab cybersecurity firm were infected with LockBit 3.0 ransomware.

Another Zero-Day Vulnerability

As reported, threat actors initially deployed web shell on a compromised Exchange server and needed just 7 days to escalate privileges to Active Directory admin, stealing roughly 1.3 TB of data before encrypting systems hosted in the network.

Source

AhnLab`s forensic analysis experts claim the Exchange servers were likely hacked using an “undisclosed zero-day vulnerability,” at a time when Microsoft is already working on security patches to address two actively exploited Microsoft Exchange zero-days, CVE-2022-41040 and CVE-2022-41082.  AhnLab experts believe the one used to gain access to the Exchange server in July might be different since attack tactics differ. However, other experts do not seem too convinced that it might not be a zero-day altogether.

It is worth noting that the analysis is no longer accessible on the cybersecurity company`s site.

Undiscovered Vulnerabilities

Whether this event was truly caused by a zero-day flaw or not, there is a security vendor that claims it knows of three other undisclosed Exchange flaws and provides “vaccines” to block exploitation attempts. Discovered by Zero Day Initiative vulnerability researcher Piotr Bazydlo and already reported to Microsoft, they are tracked as ZDI-CAN-18881, ZDI-CAN-18882, and ZDI-CAN-18932.

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.