The Conti ransomware uses the ProxyShell vulnerability exploits that were recently disclosed to hack into Microsoft’s Exchange Servers.
Attackers can chain known Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to target unpatched servers and systems leading to unauthorized remote code execution.
In May 2021, Microsoft released patches for the mentioned security issues. However, the exploits for them were later released, which allowed various threat actors to start launching their attacks.
So far, the attacks using ProxyShell have been limited to deploying the LockFile ransomware and dropping web shells and backdoors.
Last week, the Conti ransomware attackers encrypted a customer of the cybersecurity firm Sophos. The researchers reported that the attackers used the Proxyshell vulnerabilities in the Microsoft Exchange servers to break into the user’s network.
The attackers have been observed dropping web shells that further comprise the network by downloading malware and executing malicious arbitrary code.
After this, the threat actors searched for all the computers and admins on the network and used dumping LSASS to gain administrator-level access to spread throughout the network, including other servers.
After compromising the servers, the attackers used tools like AnyDesk to control the device remotely. The threat actors followed the same procedure in most of their attacks, including the case analyzed by Sophos.
They stole unencrypted data, uploaded it on the MEGA file sharing server, and then encrypted all the devices in the network. Within 48 hours, they stole over 1TB of data from the server, Sophos reported.
“Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer,” explained Sophos.
The only way to prevent unauthorized access is to install the latest cumulative updates.