This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
Using recently disclosed ProxyShell vulnerability exploits, the Conti ransomware group is hacking into Microsoft Exchange servers and compromising corporate networks. ProxyShell is a moniker for an attack that uses three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to allow unauthenticated, remote code execution on susceptible servers that haven’t been patched.
The attacks occur at a breakneck speed. A second web shell was installed minutes after the first web shell was installed on one occasion. The Conti attackers compiled a complete list of the network’s computers, domain controllers, and domain administrators in less than 30 minutes. After obtaining the credentials of domain administrator accounts, the attackers began executing demands four hours later.
The attackers had exfiltrated around 1 terabyte of data within 48 hours of gaining access. Conti malware was installed on every system on the network within five days, specifically targeting individual network shares on each workstation.
The Conti affiliates also installed no fewer than seven back doors on the network during the attack: two web shells, Cobalt Strike, and four commercial remote access programmes dubbed AnyDesk, Aterta, Splashtop, and Remote Utilities. Early access was provided by web shells, with Cobalt Strike and AnyDesk serving as the primary tools for the rest of the attack.
“We want to highlight the speed at which the attack took place,” said Peter Mackenzie, manager of incident response at Sophos. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomwa
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: With ProxyShell Exploits, Conti Ransomware is Now Targeting Exchange Servers