New threats based on ProxyShell vulnerability require immediate action


Conti Ransomware affiliates use Microsoft Exchange servers to hack corporate networks using recently disclosed ProxyShell vulnerability exploits.

Sophos made the discovery in a customer engagement in which the ransomware gang used Exchange to encrypt a customer’s data. Although Conti’s crew were not the first to take advantage of ProxyShell, the attacks discovered by Sophos have proceeded at lightning speed, according to Sean Gallagher, senior threat researcher at Sophos.

“They are looking for victims on the Internet,” he says. “Once they locate one, they can access it in seconds. Almost instant access. The time to launch a ransomware payload on the victimized networks is now a few hours. “

In the attacks observed by Sophos, the criminals gained access to the target’s network and set up a remote web shell in less than a minute. Three minutes later, they installed a second backup web shell. In less than 30 minutes, they had generated a complete list of network computers, domain controllers, and domain administrators. Just four hours later, Conti’s affiliates had obtained domain administrator account credentials and began to fulfill commands.

“Because they could pass through unprotected servers, they could use them to launch the rest of the attack without putting malware on the rest of the systems. They were able to document the victim’s network before the attack without being detected, ”explains Gallagher.

Based on this new discovery, Sophos warns that the threat posed by ProxyShell and other attacks against known vulnerabilities in Microsoft Exchange is extremely high.

Organizations with on-premises Exchange Server should update and remediate servers as soon as possible. If you’re behind on your release, immediately prioritize migrating to an updated version of Exchange that’s not vulnerable and applying fixes, Gallagher explains.

“Only the most recent versions of Exchange can be upgraded to protect against this,” he says. “Businesses need to upgrade their Exchange systems immediately. Businesses also need malware protection on their servers as well as on their endpoints. Criminals go after servers because they know they don’t have the same kind of protection as endpoints.

Additionally, Gallagher cautions that another key defense tool is keeping track of administrator credentials.

“There’s a lot of burning and forgotten software out there,” he says. “This is of particular concern for small and medium-sized businesses where someone else has their systems installed. If someone has administrator access to a system, all bets are off.

The key is to make sure that access rights are tracked, documented and updated regularly, Gallagher explains.

Learn more about ProxyShell attacks and how Sophos can help you protect yourself against them at

Copyright © 2021 IDG Communications, Inc.

Source link


Comments are closed.