PetitPotam attacks rise to target Domain controllers

PetitPotam and ProxyShell vulnerabilities are being exploited by hacker groups to target Microsoft domain controllers and take over the entire domain. French Security Researcher, Kevin Beaumont, has written a detailed blog post about the method used by hacker groups to plant ransomware through the domain controllers.

Since 20th July, 2021, the first day when an attack on a corporate group, a US based Financial services’ group was detected, there have been more than 10 such attacks on major companies’ IT infrastructure. All these attacks have been targeting PetitPotam vulnerabilities and a mix of vulnerabilities found by Orange Tsai.

The attackers use the unpatched Exchange servers of business organizations to make an entry into the network. These are the same set of vulnerabilities that we discussed in another page. You may refer to the details of the vulnerabilities by reading this link. Once the attackers are able to target the Exchange servers’ vulnerability, they use the PetitPotam vulnerability and use the NTLM relay attacks to access the domain controllers on the network.

On the domain controllers, the attackers deploy remote web shells. These shells are used to download ransomware – Lockfile onto the domain controller itself. When a network user connects to the domain controller, the system will download the ransomware to the local drive. And, this is where the local system gets compromised as the Lockfile ransomware gets remotely exploited to lock user files and compromise the data on the user machine and the network.

As per Kevin, he noticed that the remote shell commands were executed from the IP address – This IP address may be responsible for one such attack, and there is a greater possibility of new attacks happening from multiple different IP addresses from multiple countries.

What can be done to avoid this attack?

The first thing that you would want to do is to run a scan to detect Exchange servers that are unpatched, and left fully exposed to vulnerabilities detected by Orange Tsai. We also call these vulnerabilities as the ProxyShell vulnerabilities. You can create an nmap scan to do so. If you want something ready, check out this github page. . A security update was released by Microsoft to patch these vulnerabilities on May 11th. Please go ahead and deploy the May security update on all the Exchange servers that do not have this update installed. You can read more about this security update on this link.

Next, move on to addressing the PetitPotam vulnerability, although it is unclear if the patch released by Microsoft is fully successful in preventing attacks on the domain controllers. You can read about Microsoft’s guidelines in addressing the NTLM relay attacks to target PetitPotam vulnerability here.

More significantly, adopt a more proactive approach towards network security and scanning your perimeter to ensure you are on top of any unusual network activity and attacks on the perimeter. Do check your domain controllers and server logs to spot any unusual activity.