Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

[-]
Tags
conti exchange ransomware proxyshell now exploits servers hacking

tarekma7Conti ransomware now hacking Exchange servers with ProxyShell exploits
#1
Quote:The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits.

ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that allow unauthenticated, remote code execution on unpatched vulnerable servers.


These three vulnerabilities were discovered by Devcore's Orange Tsai, who used them as part of the Pwn2Own 2021 hacking contest.

While Microsoft fully patched these vulnerabilities in May 2021, technical details regarding exploiting the vulnerabilities were recently released, allowing threat actors to start using them in attacks.

So far, we have seen threat actors using the ProxyShell vulnerabilities to drop webshells, backdoors, and to deploy the LockFile ransomware.

Conti is now using ProxyShell to breach networks
Last week, Sophos was involved in an incident response case where the Conti ransomware gang encrypted a customer.

After analyzing the attack, Sophos discovered that the threat actors initially compromised the network using the recently disclosed Microsoft Exchange ProxyShell vulnerabilities.

Like most recent Microsoft Exchange attacks, the threat actors first drop web shells used to execute commands, download software, and further compromise the server.

Once the threat actors gain complete control of the server, Sophos observed them quickly falling into their standard tactics as outlined in the recently leaked Conti training material.

This routine includes getting lists of domain admins and computers, dumping LSASS to gain access to administrator credentials, and spreading laterally throughout the network to other servers.

As the threat actors compromised various servers, they would install multiple tools to provide remote access to the devices, such as AnyDesk and Cobalt Strike beacons.


[Image: ChSLlGv.jpg]


Continue reading HERE
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)