Security News > 2021 > September > Conti ransomware now hacking Exchange servers with ProxyShell exploits

The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits.

ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on unpatched vulnerable servers.

We have seen threat actors using the ProxyShell vulnerabilities to drop webshells, backdoors, and to deploy the LockFile ransomware.

After analyzing the attack, Sophos discovered that the threat actors initially compromised the network using the recently disclosed Microsoft Exchange ProxyShell vulnerabilities.

"Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer," explained Sophos in their report.

Without a doubt, the ProxyShell vulnerabilities are being used by a wide range of threat actors at this time, and all Microsoft Exchange server admins need to apply the most recent cumulative updates to stay protected.

News URL

https://www.bleepingcomputer.com/news/security/conti-ransomware-now-hacking-exchange-servers-with-proxyshell-exploits/