Tuesday, July 16, 2024
EHA

Conti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Researchers uncovered a new ongoing attack by Conti Ransomware Gang that utilized the ProxyShell to target the organization networks.

ProxySell is an exploit written to abuse the Microsoft Exchange vulnerabilities reported over the past months, also it was patched by Microsoft and released an update in May 2021 under patch Tuesday. 

Conti is one of the ruthless ransomware gangs, and The FBI reported that the gang was involved with more than 400 high-profile cyber attacks with demands as high as $25 million.

New ProxySell attack is employed by the Ransomware groups, and the same exploit was already utilized by the LockFile ransomware, now it is used by the Conit Ransomware.

Researchers from Sophos believe that the attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks.

Also Conti ransomware gain access to the targeted network under a minute and set up a remote Web Shell. Following this, they installed a second web shell that acts as a backup.

30 min later, Attackers generate a complete list of computers deployed in the targeted network, domain controller, and domain admins.

To execute the commands, it takes an hour to obtain the credentials of the domain administrator accounts, in another 48 hours, they exfiltrated about 1 Terabyte of data, and finally, they deployed the Conti ransomware to every machine on the network within 48 hours.

Technical Analysis

A Chain of Microsoft exchange vulnerabilities(CVE-2021-34473CVE-2021-34523CVE-2021-31207) was fixed in the recent April, May Exchange Server cumulative update, which leads to the organization upgrade their exchange server.

But some of the organizations leaving the exchange server without applying the patch due to email downtime, and it leaves them to attackers who used to scan the vulnerable systems.

Once the attackers successfully entered into the network, attackers create a new mailbox for “administrator,” and placing a new role with the help of Microsoft Exchange “cmdlets that help them to execute the Shell commands remotely.

\\127.0.0.1\C$\inetpub\wwwroot\aspnet_client\aspnetclient_log.aspx

Later, the attackers create a web shell in the localhost address of the sever and execute a PowerShell script which is encoded in base64.

In the next stage, attack utilizing the encoded command to abuses Service Control Manager to execute a directory look-up on the directory where the web shell was dropped.

In the Reconnaissance Phase, attackers another PowerShell command to retrieving the list of domain computers from the text file and collect the information about the network configuration, domain administrators, users actively connected to the system, process ID of the Local Security Authority Subsystem Service. Sophos said.

Once they have collected the all necessary data, the attacker dropped an executable file (SVN.exe) and executed it on the system then establish a connection to the C2 server which is placed in Finland.

Once the initial stage of compromise was done, attackers stealing the credentials then began lateral movement using an existing domain administrator account that they had cracked. 

“That account was used to create an RDP connection from the Exchange server to another server. One minute later, the logs of that server show the domain admin account downloading and installing the AnyDesk remote desktop software as a service.”

Finally, attackers deployed the File copying utility called Rclone in multiple servers with the help of PowerShell file.

Later the date has been transferring to the Mega file-sharing service that includes addresses of remote drives and the username & password for that account.

Exactly 5th day since the intimal compromiseConti actors began deploying ransomware and start the encrypt the files.

“Four batch scripts (called 1help.bat, 2help.bat, 3help.bat, and 4help.bat) were run from four servers. The batch files repeatedly invoked the ransomware executable (x64.exe), with each iteration targeting specific drives on every Windows system on the network by their default file sharing names “

ProxyShell and other attacks on known Microsoft Exchange vulnerabilities are extremely high now. Organizations are recommended to update and patch servers on-premises Exchange Server as soon as is possible.

Here are the recently released updates with the patches for the Microsoft Exchange server.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles