The ProxyShell vulnerabilities have prompted threat actors to launch domain-wide ransomware attacks against their targets, revealed a new research report from The DFIR Report.
The report, published on Monday, explained that an unnamed and unpatched MS Exchange Server customer was targeted with ransomware attacks, and attackers exploited ProxyShell vulnerabilities to compromise the organization domain-wide.
A recent search on Shodan revealed that 23,000 detected servers are still unpatched to ProxyShell, and around 10,000 are vulnerable to ProxyLogon. Three months back, the ProxyShell numbers were approx. 48,000 servers.
Technical Details of the Attack
According to The DFIR Report, in the identified attack, threat actors dropped multiple web shells across the victim’s network, executed commands to obtain system-level privileges, stole domain administrator’s account, and used DiskCryptor and BitLocker encryption software to encrypt victim’s systems.
Through the stolen Doman Admin account, threat actors managed to perform port scanning with KPortScan 3.0, and for lateral movement, they used RDP. Targeted servers include backup systems and domain controllers. Furthermore, the threat actor deployed the FRP package after gaining access to these systems.
“Finally, the threat actors deployed setup.bat across the servers in the environment using RDP and then used an open-source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker encryption, which resulted in the hosts being inoperable,” researchers noted in their report.
Attack Didn’t Involve Malware
Researchers further noted that the attack didn’t involve ransomware-as-a-service tools. Instead, it utilized no malware.
“It was a rare occurrence of a ransomware attack where Cobalt Strike was not used or any other C2 framework.”
The report revealed that the new ProxyShell attack didn’t reach the same effectiveness as the ProxyLogon flaws discovered earlier in 2021 but the attacks are on the rise as servers worldwide remain unpatched.
Hackread earlier reported the findings of Sophos Labs and FireEye’s Mandiant research teams, which revealed that Conti ransomware affiliates and other threat actors are trying to compromise Microsoft Exchange Servers to infiltrate corporate networks by exploiting newly identified ProxyShell vulnerabilities.
For your information, ProxyShell is the name given to the three vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 and identified in Microsoft Exchange Server. An attacker chaining the exploitation of these flaws can execute arbitrary code on Exchange servers after gaining SYSTEM privileges. The flaws were discovered in July, and collectively these provide privilege escalation and allow attackers to perform remote code execution.