Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs – Security

Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn.

ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.

Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.

The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.

In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.

Sophos added that within 48 hours of inital access to the victim’s networks, the Conti criminals had exfiltrated large amounts of data.

Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim’s computers.

Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.