Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft's Exchange Server to attack and remotely take over organisations' networks, security researchers warn.
ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.
Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.
1 MINUTE— SophosLabs (@SophosLabs) September 3, 2021
In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. 4/14
The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.
In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.
Sophos added that within 48 hours of inital access to the victim's networks, the Conti criminals had exfiltrated large amounts of data.
Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim's computers.
Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.