• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – NJRAT – Active IOCs
August 22, 2021
Rewterz Threat Alert – Vidar Malware – Active IOCs
August 23, 2021

Rewterz Threat Advisory – LockFile Ransomware Hacked Multiple Microsoft Exchange Servers

August 22, 2021

Severity

High

Analysis Summary

CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass.

CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend

CVE-2021-34473 – Post-auth Arbitrary-File-Write leads to RCE

After complete exploitation of Microsoft exchange Servers, attackers are setting down web shells that are helping them to execute other malicious programs for the elevation of privileges LockFile ransomware manipulates Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices. This LockFile ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the Recovery_Instructions.html files in every folder which contains encrypted files.

Impact

  • Bypass Security
  • Code Execution
  • Privilege Escalation

Affected Vendors

Microsoft

Affected Products

Microsoft Exchange Servers

Indicators of Compromise

MD5

  • bc70a7b384558cafbbc04f00a59cbe8d
  • 8ed32ace2fbce50296d3a1a16d963ba7
  • 8d17765168677ef76400b497fb0c0fd3
  • 335b9a537a380ec5936a7210ad64d955

SHA-256

  • 36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9
  • 5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f
  • 1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b7
  • 7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd

SHA1

  • b8d1b1b4b759c4380293537fc4cc3622fffbd52e
  • 11ce3d5e6e3451d059f65c4676145020d42c3835
  • 32f7064bd6f740041ddd1d819a667b12d6c24a28
  • c17b605ad2630869e063ffc575c36c5b6c8f853a

Remediation

Microsoft has issued an update to correct this vulnerability. More details can be found at:
For CVE-2021-31207
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207
For CVE-2021-34523
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
For CVE-2021-34473
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.