{
	"id": "bbc3a7f0-0444-439b-a934-4dde7a9dfa91",
	"created_at": "2026-04-06T00:08:27.152427Z",
	"updated_at": "2026-04-10T03:20:29.47655Z",
	"deleted_at": null,
	"sha1_hash": "710ca5bd5e4e105a9b15a3ea1dd4ab658cb0d18f",
	"title": "Microsoft Exchange servers hacked to deploy LockBit ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1747165,
	"plain_text": "Microsoft Exchange servers hacked to deploy LockBit ransomware\r\nBy Sergiu Gatlan\r\nPublished: 2022-10-11 · Archived: 2026-04-06 00:05:14 UTC\r\nMicrosoft is investigating reports of a new zero-day bug abused to hack Exchange servers which were later used to launch\r\nLockbit ransomware attacks.\r\nIn at least one such incident from July 2022, the attackers used a previously deployed web shell on a compromised\r\nExchange server to escalate privileges to Active Directory admin, steal roughly 1.3 TB of data, and encrypt network\r\nsystems.\r\nAs described by South Korean cybersecurity firm AhnLab, whose forensic analysis experts were hired to help with the\r\ninvestigation, it took the threat actors only a week to hijack the AD admin account from when the web shell was uploaded.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAhnLab says the Exchange servers were likely hacked using an \"undisclosed zero-day vulnerability,\" given that the victim\r\nreceived technical support from Microsoft to deploy quarterly security patches after a previous compromise from December\r\n2021.\r\n\"Among the vulnerabilities disclosed after May, there were no reports of vulnerabilities related to remote commands or file\r\ncreation,\" AhnLab explained.\r\n\"Therefore, considering that WebShell was created on July 21, it is expected that the attacker used an undisclosed zero-day\r\nvulnerability.\"\r\nAs a Microsoft spokesperson told BleepingComputer earlier today, the company is \"investigating the claims in this report\r\nand will take any action needed to help protect customers.\"\r\nNew Microsoft Exchange zero-days?\r\nWhile Microsoft is currently working on security patches to address two actively exploited Microsoft Exchange zero-days\r\ntracked as CVE-2022-41040 and CVE-2022-41082, AhnLab added that the one used to gain access to the Exchange server\r\nin July might be different since attack tactics don't overlap.\r\n\"There is a possibility that the vulnerabilities of Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082)\r\ndisclosed by GTSC, a Vietnamese security company, on September 28 were used, but the attack method, the generated\r\nWebShell file name, and subsequent attacks after WebShell creation,\" AhnLab says.\r\n\"It is presumed that a different attacker used a different zero-day vulnerability.\"\r\nAlthough differences in the delivery method can't be considered enough evidence the attackers used a new zero-day and\r\nsecurity experts are also not convinced this is the case, at least one more security vendor knows of three other undisclosed\r\nExchange flaws and provides \"vaccines\" to block exploitation attempts.\r\nDiscovered by Zero Day Initiative vulnerability researcher Piotr Bazydlo and reported to Microsoft three weeks ago, they\r\nare tracked by cybersecurity software firm Trend Micro tracks as ZDI-CAN-18881, ZDI-CAN-18882, and ZDI-CAN-18932\r\nafter its analysts validated the issues.\r\nUndisclosed Exchange flaws (Trend Micro)\r\nThe company has also added detection signatures for these Exchange zero-days (tagged as critical severity by Trend Micro)\r\nto its IPS N-Platform, NX-Platform, or TPS products since October 4, 2022.\r\n\"This filter protects against exploitation of a zero-day vulnerability affecting Microsoft Exchange,\" Trend Micro says in a\r\nDigital Vaccine support document.\r\nMicrosoft hasn't disclosed any information regarding these three security flaws since they were reported and is yet to assign\r\na CVE ID to track them.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/"
	],
	"report_names": [
		"microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/710ca5bd5e4e105a9b15a3ea1dd4ab658cb0d18f.pdf",
		"text": "https://archive.orkl.eu/710ca5bd5e4e105a9b15a3ea1dd4ab658cb0d18f.txt",
		"img": "https://archive.orkl.eu/710ca5bd5e4e105a9b15a3ea1dd4ab658cb0d18f.jpg"
	}
}