Some Microsoft Exchange email servers that were previously patched are still vulnerable. The latest update from cybersecurity consulting firm Pondurance, the Conti ransomware group is now using backdoors that haven’t been removed from patches systems to compromise Exchange servers.
Conti is a ransomware operation that hires affiliates to carry out network breaches and encrypt victims’ files in exchange for a percentage from ransoms.
“Despite patching, thousands of devices might still be compromised,” Pondurance researchers say.
Conti is now attacking organizations that mitigated the ProxyLogon flaws first exploited by Chinese attackers but failed to remove the already-present backdoors, according to the researchers.
During a study conducted by Pondurance, the researchers discovered that an on-premises Exchange server had been compromised by an unauthorized remote monitoring agent that ultimately resulted in ransomware infection.
“The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine,” Pondurance says. “In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware.”
The researchers explain that an organization likely patched Exchange but did not detect that a backdoor was already in the system.
“Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point,” Pondurance says. “These services should be present within the registry and would have generated ‘Service Created’ event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under ‘C:ProgramData,’ ‘C:Program Files (x86),’ and ‘C:WindowsTemp.'”
CIM recently reported that a disgruntled Conti’s affiliate leaked the ransomware group’s key training materials and tools. The data also included the server names and IP addresses of the Cobalt Strike C2 servers, an archive containing tools, and training materials for carrying out ransomware attacks.