New Threats Based on ProxyShell Vulnerability Require Immediate Action

Conti ransomware affiliates are using Microsoft Exchange servers to hack into corporate networks using recently disclosed ProxyShell vulnerability exploits.

Sophos made the discovery in a customer engagement in which the ransomware gang used Exchange to encrypt a customer’s data. While the Conti crew is not the first to take advantage of ProxyShell, in the attacks Sophos uncovered, they unfolded at lightning speed, according to Sophos Senior Threat Researcher Sean Gallagher.

“They are scanning the Internet for victims,” he says. “Once they locate one, they can gain access in moments. Almost instant access. The time to launch a ransomware payload on victim networks is down to hours now.”

In the attacks that Sophos observed, the criminals gained access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators. Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands.

“Because they could get through unprotected servers, they could use them to launch the rest of attack without putting malware on the rest of the systems. They were able to document the victim network before the attack without being detected,” Gallagher says.

Based on this new discovery, Sophos is warning that the threat posed by ProxyShell, and other attacks on known Microsoft Exchange vulnerabilities, is extremely high.

Organizations with on-premises Exchange Server should update and patch servers as soon as is possible. If you’re behind on your version, immediately prioritize migrating to an updated version of Exchange that is not vulnerable and apply patches, says Gallagher.

“Only more recent versions of Exchange are capable of being upgraded to protect against this,” he says. “Organizations need to upgrade their Exchange systems immediately. Companies also need malware protection on their servers as well as their endpoints. The criminals go after servers because they know they don’t have the same kind of protection as endpoints.”

Further, Gallagher warns another key defense tool is keeping track of administrator credentials.

“There’s a lot of fire and forget software out there,” he says. “This is particularly a concern for small- and medium-sized business where someone else has installed their systems. If someone has admin access to a system, all bets are off.”

The takeaway is to ensure access rights are tracked, documented, and updated regularly, says Gallagher.

Learn more about ProxyShell attacks and how Sophos can help guard against them at Sophos.com