Sophos researchers said in a blog post that ProxyShell represents an evolution of the ProxyLogon attack method — an exploit of Exchange vulnerabilities first revealed in March that has become a common attack technique used by ransomware actors.
The threat actors used the ProxyShell vulnerabilities to launch webshells, backdoors, and deploy the new LockFile ransomware first seen in July.
According to the Sophos researchers, the attackers move fast. In one case, a Conti affiliate gained access to a target’s network and set up a remote webshell in less than a minute. Three minutes later, they installed a backup webshell and within 30 minutes they generated a complete list of the network’s computers, domain controllers, and domain administrators.
The recent observation that the Conti ransomware group has been able to perfect their exploitation of the ProxyShell vulnerability has been made possible by the significant technical details that are now publicly available for the exploit, said Alec Alvarado, threat intelligence team lead at Digital Shadows. Alvarado agreed with the Sophos researchers that the group moves quickly, and the more time they have to work with the exploit, the faster they become.
“Faster data exfiltration and systems encryption significantly decreases any chance to respond to ongoing intrusions,” Alvarado said. “Conti is not the only one exploiting ProxyShell vulnerabilities, and organizations need to ensure they have patched their systems. Unfortunately, holiday weekends are a favorite for cybercriminals as security teams are limited on resources. It won't be surprising if ransomware actors take advantage of the upcoming Labor Day weekend.”
It's not surprising that threat actors are using ProxyShell to deploy ransomware, said Jake Williams, co-founder and CTO at BreachQuest. While the vulnerabilities were patched in May, the exploit details are now publicly available and organizations should obviously patch any Exchange servers.
“This is particularly true for those with the Client Access Service (CAS) exposed to the internet, an extremely common configuration,” said Williams. “Organizations can detect exploitation easily by examining web server logs. Logs may also be obtained from web proxies.If organizations are unsure if they have patched these critical vulnerabilities, they should consider disabling access to the CAS from the internet immediately. They can do this by blocking access to TCP port 443 on any internet-facing Exchange servers. Be aware that there may be secondary impacts of this activity.”
This ransomware attack and others that exploit system vulnerabilities like the Microsoft Exchange Server vulnerability are a clear call-to-action for companies to step up their cloud migrations, said Chenxi Wang, general partner at Rain Capital.
“There are significant challenges for business owners to continuously monitor for and manage vulnerabilities for on-premises systems, while these applications and systems become an active and prime target for the ransomware ecosystem,” Wang said. “Business and IT leaders must take immediate steps to consider and migrate to cloud-delivered applications and systems to reduce risk in the future.”
John Hammond, senior cybersecurity researcher at Huntress, said with the holiday weekend approaching, the federal government has warned businesses and organizations to prepare themselves for more potential cyber and ransomware attacks.
“That means board up the windows — stay vigilant, tune up your security software, and patch, patch, patch,” Hammond said. “While preparing for the long weekend, patching Exchange against ProxyShell should be one of, if not the most, absolute top priority.”