Conti ransomware gang targets Microsoft Exchange servers with ProxyShell exploits

The Conti ransomware operators are targeting Microsoft Exchange servers leveraging recently disclosed ProxyShell vulnerability exploits.

The Conti ransomware gang is targeting Microsoft Exchange servers leveraging exploits with recently disclosed ProxyShell vulnerabilities.

ProxyShell is the name of three vulnerabilities that could be chained by an unauthenticated remote attacker to gain code execution on Microsoft Exchange servers.

The three vulnerabilities used in ProxyShell attacks are:

• CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
• CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
• CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

The vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.

The vulnerabilities were discovered by security Researcher Tsai orange from Devcore, the issues were awarded $ 200,000 during the April 2021 Pwn2Own hacking contest. 

Last week, while researchers from Sophos providing incident response support to a customer discovered that the threat actors breached the network exploiting Microsoft Exchange ProxyShell vulnerabilities.

Conti Ransomware operators, like other threat actors, are attempting to target organizations using Exchange Server that have yet to update their installs.

Once gained access to the network they first dropped web shells to execute commands and compromise the server, then manually deployed the ransomware to infect the larger number of systems as possible on the network.

“In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands.” reads the analysis published by Sophos. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

Experts noticed that the ransomware gang installed less than seven backdoors on the target network, a couple of web shells, Cobalt Strike, and AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access tools.

“Using ProxyShell, the attackers created a new mailbox for “administrator,” and then assigned new roles to that mailbox using Microsoft Exchange “cmdlets”—including rights to remotely execute PowerShell commands.” continues the report. “In another recent Conti ProxyShell attack, the attacker created a mailbox referencing Evil Corp, the organization behind Dridex (as well as a fictional company the television show Mr. Robot) , as part of the ProxyShell attack.”

Once gained access to the target network, the ransomware operators upload stolen data to the MEGA file sharing server. Only after five days, the group started encrypting the devices on the network launching the attack from an unprotected server.

The threat actors launched batch files that repeatedly invoked the ransomware executable “x64.exe2, experts noticed that in each iteration it targeted specific drives on every Windows system on the network by their default file sharing names (C$, D$, etc.):

start C:\x64.exe -m -net -size 10 -nomutex -p \\[computer Active Directory name]\C$

The Conti ransomware operators were able to exfiltrate 1 TB of data in only 48 hours.

Unfortunately, multiple threat actors already leverage ProxyShell vulnerabilities in attacks aimed at organizations worldwide, for this reason, experts recommend admins install cumulative updates on their servers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]