The Conti ransomware gang is actively targeting unpatched Microsoft Exchange servers through the same exploit used to target servers earlier this year.
Conti is targeting networks with ProxyShell, an evolution of the ProxyLogon. Conti affiliates have used the tool to gain access to a targeted network and set up a remote web shell.
The attacks occur at a rapid pace. In one attack, minutes after installing a first web shell, a second web shell was installed. Within 30 minutes, the Conti attackers generated a complete list of the network’s computers, domain controllers and domain administrators. Four hours later, the attackers obtained the credentials of domain administrator accounts and began executing demands.
Within 48 hours of gaining access, the attackers had exfiltrated about 1 terabyte of data. Within five days, the Conti ransomware was deployed to every machine on the network, specifically targeting individual network shares on each computer.
It was also found that during the course of the attack that the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike and four commercial remote access tools called AnyDesk, Aterta, Splashtop and Remote Utilities. The web shells were used for early access, while Cobalt Strike and AnyDesk with the primary tools used for the rest of the attack.
The vulnerabilities were disclosed and patch by Microsoft earlier this year, but as is often the case with software updates, not all companies update their installations. Microsoft first warned that Chinese state-sponsored hackers were targeting the vulnerabilities in March.