Friday, March 29, 2024

Conti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploits

Researchers uncovered a new ongoing attack by Conti Ransomware Gang that utilized the ProxyShell to target the organization networks.

ProxySell is an exploit written to abuse the Microsoft Exchange vulnerabilities reported over the past months, also it was patched by Microsoft and released an update in May 2021 under patch Tuesday. 

Conti is one of the ruthless ransomware gangs, and The FBI reported that the gang was involved with more than 400 high-profile cyber attacks with demands as high as $25 million.

New ProxySell attack is employed by the Ransomware groups, and the same exploit was already utilized by the LockFile ransomware, now it is used by the Conit Ransomware.

Researchers from Sophos believe that the attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks.

Also Conti ransomware gain access to the targeted network under a minute and set up a remote Web Shell. Following this, they installed a second web shell that acts as a backup.

30 min later, Attackers generate a complete list of computers deployed in the targeted network, domain controller, and domain admins.

To execute the commands, it takes an hour to obtain the credentials of the domain administrator accounts, in another 48 hours, they exfiltrated about 1 Terabyte of data, and finally, they deployed the Conti ransomware to every machine on the network within 48 hours.

Technical Analysis

A Chain of Microsoft exchange vulnerabilities(CVE-2021-34473CVE-2021-34523CVE-2021-31207) was fixed in the recent April, May Exchange Server cumulative update, which leads to the organization upgrade their exchange server.

But some of the organizations leaving the exchange server without applying the patch due to email downtime, and it leaves them to attackers who used to scan the vulnerable systems.

Once the attackers successfully entered into the network, attackers create a new mailbox for “administrator,” and placing a new role with the help of Microsoft Exchange “cmdlets that help them to execute the Shell commands remotely.

\\127.0.0.1\C$\inetpub\wwwroot\aspnet_client\aspnetclient_log.aspx

Later, the attackers create a web shell in the localhost address of the sever and execute a PowerShell script which is encoded in base64.

In the next stage, attack utilizing the encoded command to abuses Service Control Manager to execute a directory look-up on the directory where the web shell was dropped.

In the Reconnaissance Phase, attackers another PowerShell command to retrieving the list of domain computers from the text file and collect the information about the network configuration, domain administrators, users actively connected to the system, process ID of the Local Security Authority Subsystem Service. Sophos said.

Once they have collected the all necessary data, the attacker dropped an executable file (SVN.exe) and executed it on the system then establish a connection to the C2 server which is placed in Finland.

Once the initial stage of compromise was done, attackers stealing the credentials then began lateral movement using an existing domain administrator account that they had cracked. 

“That account was used to create an RDP connection from the Exchange server to another server. One minute later, the logs of that server show the domain admin account downloading and installing the AnyDesk remote desktop software as a service.”

Finally, attackers deployed the File copying utility called Rclone in multiple servers with the help of PowerShell file.

Later the date has been transferring to the Mega file-sharing service that includes addresses of remote drives and the username & password for that account.

Exactly 5th day since the intimal compromiseConti actors began deploying ransomware and start the encrypt the files.

“Four batch scripts (called 1help.bat, 2help.bat, 3help.bat, and 4help.bat) were run from four servers. The batch files repeatedly invoked the ransomware executable (x64.exe), with each iteration targeting specific drives on every Windows system on the network by their default file sharing names “

ProxyShell and other attacks on known Microsoft Exchange vulnerabilities are extremely high now. Organizations are recommended to update and patch servers on-premises Exchange Server as soon as is possible.

Here are the recently released updates with the patches for the Microsoft Exchange server.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles