Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched.
The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later.
The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation.
The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack.
“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.”
Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, as is often the case with software upgrades. In March, Microsoft issued a warning that Chinese state-sponsored hackers were targeting the flaws. The best approach to protect against the assaults, according to Tom Burt, Microsoft's corporate vice president of customer security and trust, is to apply the updates. In April, the US Federal Bureau of Investigation took the unusual step of breaking into compromised Exchange servers to fix the flaws.
The Conti ransomware group has been active since 2020, and it has been linked to a number of attacks, including one in May that targeted Ireland's health system. Industrial computer firm Advantech Co. Ltd. was a victim of Conti in November, as was VOIP hardware and software supplier Sangoma Technologies Corp. in December, and hospitals in Florida and Texas in February.