The Conti ransomware gang has been attacking Microsoft Exchange servers and is capable of breaching corporate networks due to the recently disclosed set of vulnerabilities dubbed as ProxyShell.
ProxyShell is an exploit that allows an attacker to execute unauthenticated code on unpatched Microsoft Exchange servers by targeting three known security issues in Microsoft Exchange. The bugs were discovered by Devcore’s Orange Tsai and presented at the Pwn2Own 2021.
While Microsoft has already patched the vulnerabilities, they were still exploited by attackers to launch attacks.
Attackers have been using the ProxyShell vulnerabilities to drop webshells, backdoors, and ransomware, including LockFile ransomware.
Last week, cybersecurity company Sophos was handling a case where the Conti ransomware gang encrypted a company’s servers. After analyzing the details of the attack, Sophos detected that the attackers used the ProxyShell vulnerabilities to gain access to the network.
Once the attackers gained complete control of the server, they quickly fell back into their usual routine that involves getting lists of servers and domain admins, dumping LSASS to get administrator credentials, and spreading across the network.
The attackers would then install various tools to maintain remote access to the compromised devices and start encrypting the data after they had exfiltrated it.
“Over the course of the intrusion, the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike, and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities),” explained Sophos in its report. “The web shells, installed early on, were used mainly for initial access; Cobalt Strike and Any Desk were the primary tools they used for the remainder of the attack.”
What made this particular attack stand out was its precision and speed. It only took 48 hours to steal 1 TB of data.
“Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”
All Exchange server admins are urged to apply the latest cumulative updates from to stay protected.