Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs – Security

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn.

ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.

Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.

The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.

In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.

Sophos added that within 48 hours of inital access to the victim’s networks, the Conti criminals had exfiltrated large amounts of data.

Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim’s computers.

Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.