Home > Attacks & Data Breaches > ProxyShell Exploits Used To Target Microsoft Exchange Servers

ProxyShell Exploits Used To Target Microsoft Exchange Servers

September 6, 2021
CIM Team

The Conti ransomware uses the ProxyShell vulnerability exploits that were recently disclosed to hack into Microsoft’s Exchange Servers.
Attackers can chain known Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to target unpatched servers and systems leading to unauthorized remote code execution.
In May 2021, Microsoft released patches for the mentioned security issues. However, the exploits for them were later released, which allowed various threat actors to start launching their attacks.
So far, the attacks using ProxyShell have been limited to deploying the LockFile ransomware and dropping web shells and backdoors.
Last week, the Conti ransomware attackers encrypted a customer of the cybersecurity firm Sophos. The researchers reported that the attackers used the Proxyshell vulnerabilities in the Microsoft Exchange servers to break into the user’s network.
The attackers have been observed dropping web shells that further comprise the network by downloading malware and executing malicious arbitrary code.
After this, the threat actors searched for all the computers and admins on the network and used dumping LSASS to gain administrator-level access to spread throughout the network, including other servers.
After compromising the servers, the attackers used tools like AnyDesk to control the device remotely. The threat actors followed the same procedure in most of their attacks, including the case analyzed by Sophos.
They stole unencrypted data, uploaded it on the MEGA file sharing server, and then encrypted all the devices in the network. Within 48 hours, they stole over 1TB of data from the server, Sophos reported.
“Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer,” explained Sophos.
The only way to prevent unauthorized access is to install the latest cumulative updates.

About the author

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

ProxyShell Exploits Used To Target Microsoft Exchange Servers

About the author

CIM Team

Share:

Related ARTICLES

CaTEGORIES

Quick Nav

ProxyShell Exploits Used To Target Microsoft Exchange Servers

About the author

CIM Team

Share:

Related ARTICLES

Weekly Cyber Threat Report, May 22-26, 2023

Devastating DDoS Attacks Launched Against Gaming Industry by Dark Frost Botnet

Israeli Logistics Sector Attacked by Iranian Tortoiseshell Hackers

GoldenJackal: New Threat Gang Attacking South Asian And Middle Eastern Governments

CaTEGORIES

Quick Nav