Cyber Crime

Conti ransomware gang targets Microsoft Exchange servers with ProxyShell exploits

The Conti ransomware operators are targeting Microsoft Exchange servers leveraging recently disclosed ProxyShell vulnerability exploits.

The Conti ransomware gang is targeting Microsoft Exchange servers leveraging exploits with recently disclosed ProxyShell vulnerabilities.

ProxyShell is the name of three vulnerabilities that could be chained by an unauthenticated remote attacker to gain code execution on Microsoft Exchange servers.

The three vulnerabilities used in ProxyShell attacks are:

The vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.

The vulnerabilities were discovered by security Researcher Tsai orange from Devcore, the issues were awarded $ 200,000 during the April 2021 Pwn2Own hacking contest

Last week, while researchers from Sophos providing incident response support to a customer discovered that the threat actors breached the network exploiting Microsoft Exchange ProxyShell vulnerabilities.

Conti Ransomware operators, like other threat actors, are attempting to target organizations using Exchange Server that have yet to update their installs.

Once gained access to the network they first dropped web shells to execute commands and compromise the server, then manually deployed the ransomware to infect the larger number of systems as possible on the network.

“In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands.” reads the analysis published by Sophos. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

Experts noticed that the ransomware gang installed less than seven backdoors on the target network, a couple of web shells, Cobalt Strike, and AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access tools.

“Using ProxyShell, the attackers created a new mailbox for “administrator,” and then assigned new roles to that mailbox using Microsoft Exchange “cmdlets”—including rights to remotely execute PowerShell commands.” continues the report. “In another recent Conti ProxyShell attack, the attacker created a mailbox referencing Evil Corp, the organization behind Dridex (as well as a fictional company the television show Mr. Robot) , as part of the ProxyShell attack.”

Once gained access to the target network, the ransomware operators upload stolen data to the MEGA file sharing server. Only after five days, the group started encrypting the devices on the network launching the attack from an unprotected server.

The threat actors launched batch files that repeatedly invoked the ransomware executable “x64.exe2, experts noticed that in each iteration it targeted specific drives on every Windows system on the network by their default file sharing names (C$, D$, etc.):

start C:\x64.exe -m -net -size 10 -nomutex -p \\[computer Active Directory name]\C$

The Conti ransomware operators were able to exfiltrate 1 TB of data in only 48 hours.

Unfortunately, multiple threat actors already leverage ProxyShell vulnerabilities in attacks aimed at organizations worldwide, for this reason, experts recommend admins install cumulative updates on their servers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

4 hours ago

SocGholish malware used to spread AsyncRAT malware

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the…

15 hours ago

UK police arrested a 17-year-old linked to the Scattered Spider gang

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered…

19 hours ago

Security Affairs Malware Newsletter – Round 3

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 days ago

This website uses cookies.