2022-10-18

AhnLabs Reports of LockBit Operators Exploiting Exchange Vulnerabilities

Level: 
Tactical
  |  Source: 
AhnLabs
Share:

AhnLabs Reports of LockBit Operators Exploiting Exchange Vulnerabilities  

Category: Ransomware News | Industry: N/A | Level: Tactical | Source: AhnLabs

South Korean cybersecurity firm, AhnLab reports a LockBit 3.0 ransomware intrusion exploiting undisclosed Microsoft Exchange zero-days on two 2016 Windows Servers to deploy ransomware in just seven days. The compromised organization is shared to have a history of security incidents tied to vulnerable Microsoft Exchange Servers as their previous incident was documented in December 2021. The Exchange vulnerability used by the ransomware operators is unknown. The latest patch applied by the organization was on July 9th for patch KB5014261 released on May 10th. Based on the attack tactic, the recently disclosed CVE-2022-41040 - Server-Side Request Forgery (SSRF) and CVE-2022-41082 - Remote code execution (RCE) are likely not the vulnerabilities used by the attackers. "Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021, (CVE-2022-21969), the privilege escalation vulnerability was disclosed in February 2022, and the most recent vulnerability was on June 27. Information Disclosure Vulnerability vulnerability. That is, among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file creation." After exploiting Exchange, the operators uploaded two web shells on July 21st. Eight hours later, Mimikatz was executed with system privileges to obtain admin passwords. Following the execution of a batch script to create a firewall rule and modify the registry to enable RDP, the operators established a tunnel with plink. Leading up to ransomware deployment, the attackers moved laterally in the compromised environment with TeamViewer running reconnaissance of the victim's network using NetScan and SharpHound. An excess of 1.3 TB of data was stolen from the network before the ransomware was deployed with batch scripts.

Anvilogic Scenario:

  • Credential Access Leads to RDP & Tunneling

Anvilogic Use Cases:

  • Potential Web Shell
  • Mimikatz Execution
  • Tunneling Process Created

Get trending threats published weekly by the Anvilogic team.

Sign Up Now