430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Conti ransomware gang targets Microsoft Exchange servers with ProxyShell exploits

The Conti ransomware operators are targeting Microsoft Exchange servers leveraging recently disclosed ProxyShell vulnerability exploits. The Conti ransomware gang is targeting Microsoft Exchange servers leveraging exploits with recently disclosed ProxyShell vulnerabilities. ProxyShell is the name of three vulnerabilities that could be chained by an unauthenticated remote attacker to gain code execution on Microsoft Exchange servers. […]

conti ransomware proxyshell-ransomware-tools

The Conti ransomware operators are targeting Microsoft Exchange servers leveraging recently disclosed ProxyShell vulnerability exploits.

The Conti ransomware gang is targeting Microsoft Exchange servers leveraging exploits with recently disclosed ProxyShell vulnerabilities.

ProxyShell is the name of three vulnerabilities that could be chained by an unauthenticated remote attacker to gain code execution on Microsoft Exchange servers.

The three vulnerabilities used in ProxyShell attacks are:

The vulnerabilities are exploited remotely through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.

The vulnerabilities were discovered by security Researcher Tsai orange from Devcore, the issues were awarded $ 200,000 during the April 2021 Pwn2Own hacking contest

Last week, while researchers from Sophos providing incident response support to a customer discovered that the threat actors breached the network exploiting Microsoft Exchange ProxyShell vulnerabilities.

Conti Ransomware operators, like other threat actors, are attempting to target organizations using Exchange Server that have yet to update their installs.

Once gained access to the network they first dropped web shells to execute commands and compromise the server, then manually deployed the ransomware to infect the larger number of systems as possible on the network.

“In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands.” reads the analysis published by Sophos. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

conti ransomware proxyshell-ransomware-tools

Experts noticed that the ransomware gang installed less than seven backdoors on the target network, a couple of web shells, Cobalt Strike, and AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access tools.

“Using ProxyShell, the attackers created a new mailbox for “administrator,” and then assigned new roles to that mailbox using Microsoft Exchange “cmdlets”—including rights to remotely execute PowerShell commands.” continues the report. “In another recent Conti ProxyShell attack, the attacker created a mailbox referencing Evil Corp, the organization behind Dridex (as well as a fictional company the television show Mr. Robot) , as part of the ProxyShell attack.”

Once gained access to the target network, the ransomware operators upload stolen data to the MEGA file sharing server. Only after five days, the group started encrypting the devices on the network launching the attack from an unprotected server.

The threat actors launched batch files that repeatedly invoked the ransomware executable “x64.exe2, experts noticed that in each iteration it targeted specific drives on every Windows system on the network by their default file sharing names (C$, D$, etc.):

start C:\x64.exe -m -net -size 10 -nomutex -p \\[computer Active Directory name]\C$

The Conti ransomware operators were able to exfiltrate 1 TB of data in only 48 hours.

Unfortunately, multiple threat actors already leverage ProxyShell vulnerabilities in attacks aimed at organizations worldwide, for this reason, experts recommend admins install cumulative updates on their servers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Conti Ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]