Security News > 2021 > September > Conti ransomware now hacking Exchange servers with ProxyShell exploits

The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits.
ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on unpatched vulnerable servers.
We have seen threat actors using the ProxyShell vulnerabilities to drop webshells, backdoors, and to deploy the LockFile ransomware.
After analyzing the attack, Sophos discovered that the threat actors initially compromised the network using the recently disclosed Microsoft Exchange ProxyShell vulnerabilities.
"Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer," explained Sophos in their report.
Without a doubt, the ProxyShell vulnerabilities are being used by a wide range of threat actors at this time, and all Microsoft Exchange server admins need to apply the most recent cumulative updates to stay protected.
News URL
Related news
- DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects (source)
- China-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- US seizes domain of Garantex crypto exchange used by ransomware gangs (source)
- International cops seize ransomware crooks' favorite Russian crypto exchange (source)
- Like whitebox servers, rent-a-crew crime 'affiliates' have commoditized ransomware (source)
- New SuperBlack ransomware exploits Fortinet auth bypass flaws (source)
- RedCurl cyberspies create ransomware to encrypt Hyper-V servers (source)
- BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability (source)