The Conti ransomware operators are targeting Microsoft Exchange servers and breaching corporate networks using ProxyShell vulnerabilities.
- The Conti ransomware gang encrypted the company's servers using ProxyShell vulnerabilities to gain access to the network.
- The ransomware operators were able to exfiltrate 1 TB of data in only 48 hours.
The Conti ransomware operators are targeting Microsoft Exchange servers and breaching corporate networks using ProxyShell vulnerabilities.
Security Researcher Orange Tsai from Devcore discovered the vulnerabilities and the issues were awarded $200,000 during the April Pwn2Own hacking contest.
Last week, Sophos was involved in an incident response case where the Conti ransomware gang encrypted a customer.
After analyzing the attack, Sophos found out that the threat actors initially compromised the network using the recently revealed Microsoft Exchange ProxyShell vulnerabilities.
The three Microsoft Exchange vulnerabilities used in ProxyShell attacks are:
- CVE-2021-34473: Pre-auth Path Confusion leads to ACL Bypass
- CVE-2021-34523: Elevation of Privilege on Exchange PowerShell Backend
- CVE-2021-31207: Post-auth Arbitrary-File-Write leads to RCE
Once gained access to the network, the threat actors first drop web shells to execute commands, download software and compromise the server,
“In the case of one of the groups of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second backup web shell. Within 30 minutes, they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands, ” explains the analysis published by Sophos.
“Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”
Experts noted that the Conti affiliates installed less than seven backdoors on the target network: two web shells, Cobalt Strike, and four commercial remote access tools (AnyDesk, Atera, Splashtop and Remote Utilities).
All Exchange server admins are advised to apply the latest cumulative updates to stay protected.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?