Conti ransomware raiders exploit 'ProxyShell' Exchange bugs

By on
Conti ransomware raiders exploit 'ProxyShell' Exchange bugs

Gaining access to networks in less than a minute.

Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft's Exchange Server to attack and remotely take over organisations' networks, security researchers warn.

ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication.

Security vendor Sophos observed that Conti affiliates appear to have sped up their attacks considerably, deploying ransomware in just a few hours instead of waiting for weeks.

The ransomware criminals install multiple webshells on Exchange Servers, and quickly obtain domain administrator credentials for full network mapping and takeover, Sophos said.

In one attack, the Conti affiliates installed two webshells, the Cobalt Strike penetration testing tool, and the AnyDesk, Atera, Splashtop and Remote Utilities commercial remote access software.

Sophos added that within 48 hours of inital access to the victim's networks, the Conti criminals had exfiltrated large amounts of data.

Five days after the initial intrusion, the Conti affiliates would deploy the ransomware, targeting network shares in particular, to encrypt the victim's computers.

Sophos advised Exchange Server operators to patch their software as soon as possible, as the threat of further attacks is extremely high.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?