Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven't been patched. The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network's computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later. The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation. The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack. “We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.” Microsoft reported and patched the vulnerabilities early this year, but not all firms updated their systems, a ..
Support the originator by clicking the read the rest link below.
