Conti ransomware affiliates hit Exchange Servers with ProxyShell exploits

Conti ransomware affiliates are exploiting 3 unpatched vulnerabilities that allow unauthenticated, remote code execution on MS Exchange Servers.

According to researchers, threat actors including Conti ransomware affiliates are exploiting 3 unpatched vulnerabilities that allow unauthenticated, remote code execution on MS Exchange Servers.

In late August 2021, it was reported that threat actors are targeting unpatched Microsoft Exchange Servers by exploiting ProxyShell exploits. Now, according to independent findings of researchers at Sophos Labs and FireEye’s Mandiant research teams, threat actors, including Conti ransomware gang’s affiliates, are attempting to compromise Microsoft Exchange Servers to breach corporate networks by exploiting recently disclosed ProxyShell vulnerabilities.

Reportedly, threat actors are exploiting these flaws for several weeks now.

Hackers Exploiting Three CVEs

Mandiant researchers noted that the gang exploited three chained vulnerabilities and exposures (CVEs) classified as CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. These vulnerabilities allow unauthenticated, remote code execution on MS Exchange Servers that are yet unpatched.

The vulnerabilities collectively makeup ProxyShell and upload web shells to their target networks to gain initial access. Later, it uses multiple publicly available tools such as Mimikatz, Htran, Earthworm, and WMIExec to steal data.

Figure 4: BLUEBEAM ASP web shell that was embedded into a PST payload (Image: FireEye)

On the other hand, Sophos’ incident response team identified a series of attacks launched by a Conti ransomware affiliate group using these ProxyShell exploits to establish access before deploying the notorious Conti ransomware.

For your information, these CVEs were discovered by Devcore’s Orange Tsai during the Pwn2Own 2021 hacking contest. Microsoft already patches them in May 2021 and disclosed details of exploits recently, which is why threat actors are using them in their attacks to hack into unpatched Exchange servers.

Multiple Intrusions Detected

Mandiant report revealed that the team has responded to multiple intrusions, all of which exploited ProxyShell vulnerabilities. The attacks were dispersed across a range of customers and industries. The team has identified eight independent clusters, but they believe more clusters may be detected as different actors are trying to exploit them.

“Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunneling utilities to further compromise victim organizations.”

One such attack to which Mandiant’s Managed Defense Team responded was launched against a US university, and the threat actor was tracked as UNC2980. The team suspects a cyber-espionage gang operating out of China could be involved in this particular incident.

Conti Attacks Unfolded In Record Time

Sophos Labs’ team tracked Conti ransomware attacks and found them pretty unusual as they unfolded in record time.

According to Sophos’ senior threat researcher, Sean Gallagher, attackers have gained tremendous experience with the techniques in their dwell time prior to launching the final Conti payload. Their dwell time has decreased from “weeks to days to hours,” Gallagher explained in a blog post.

“The Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators.

Just four hours later, the Conti ransomware affiliates had obtained the credentials of domain administrator accounts and began executing commands,” reported Gallagher.

Hence, within 48 hours of gaining initial access, the attackers exfiltrated around 1 TB of data, and within five days they installed seven backdoors, compromised two web shells, four commercial remote access tools, including Splashtop, AnyDesk, Atera, and even Cobalt Strike.

Widespread Availability of PoCs Worsening the Situation

Mandiant researchers believe that the extensive availability of proof-of-concept (POC) exploits is worsening the situation.

“Examples of proof-of-concept exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication,” Mandiant’s blog post read.

Researchers urge MS Exchange users to apply fixes to mitigate ProxyShell exploits immediately.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts