Tag Archive for: ProxyShell

Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs – Security


Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn.

ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.

Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.

The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.

In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.

Sophos added that within 48 hours of inital access to the victim’s networks, the Conti criminals had exfiltrated large amounts of data.

Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim’s computers.

Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.

Source…

CISA warns admins to urgently patch Exchange ProxyShell bugs


CISA warns admins to urgently patch Exchange ProxyShell bugs

The US Cybersecurity and Infrastructure Security Agency (CISA) issued its first alert tagged as “urgent,” warning admins to patch on-premises Microsoft Exchange servers against actively exploited ProxyShell vulnerabilities.

“Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207,” CISA warned over the weekend.

“CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”

These three security flaws (patched in April and May) were discovered by Devcore security researcher Orange Tsai, who used them to compromise a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest:

Actively exploited by multiple threat actors

This warning comes after similar ones alerting organizations to defend their networks from the wave of attacks that hit tens of thousands of organizations worldwide in March, with exploits targeting four zero-day Microsoft Exchange bugs known as ProxyLogon.

Even though Microsoft fully patched the ProxyShell bugs in May 2021, they didn’t assign CVE IDs for the three security vulnerabilities until July, thus preventing some organizations who had unpatched servers from discovering that they had vulnerable systems on their networks.

After additional technical details were recently disclosed, both security researchers and threat actors could reproduce a working ProxyShell exploit.

Then, just as it happened in March, attackers began scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.

After breaching unpatched Exchange servers, threat actors drop web shells that allow them to upload and execute malicious tools.

While, in the beginning, the payloads were harmless, attackers have begun deploying LockFile ransomware payloads delivered across Windows domains compromised using Windows PetitPotam exploits.

So far, US-based security firm Huntress Labs said it found over 140 web shells deployed by attackers on more than 1,900 compromised Microsoft Exchange servers until…

Source…

LockFile ransomware attacks Microsoft Exchange with ProxyShell exploits


Exchange Ransomware

A new ransomware gang known as LockFile encrypts Windows domains after hacking into Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities.

ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution.

The three vulnerabilities were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest.

While Microsoft fully patched these vulnerabilities in May 2021, more technical details were recently disclosed, allowing security researchers and threat actors to reproduce the exploit.

As reported last week by BleepingComputer, this has led to threat actors actively scanning for and hacking Microsoft Exchange servers using the ProxyShell vulnerabilities.

After exploiting an Exchange server, the threat actors dropped web shells that could be used to upload other programs and execute them.

At the time, NCC Group’s vulnerability researcher Rich Warren told BleepingComputer that the web shells were being used to install a .NET backdoor that was downloading a harmless payload at the time.

Since then, security researcher Kevin Beaumont reports that a new ransomware operation known as LockFile uses the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains and encrypt devices.

When breaching a network, the threat actors will first access the on-premise Microsoft Exchange server using the ProxyShell vulnerabilities. Once they gain a foothold, Symantec says the LockFile gang uses the PetitPotam vulnerability to take over a domain controller, and thus the Windows domain.

From there, it is trivial to deploy the ransomware through the entire network.

What we know about the LockFile ransomware

At this time, there is not much known about the new LockFile ransomware operation.

When first seen in July, the ransom note was named ‘LOCKFILE-README.hta‘ but did not have any particular branding, as shown below.

Old LockFile ransom notes
Old LockFile ransom notes

Starting last week, BleepingComputer began receiving reports of a ransomware gang…

Source…