Mandiant, Sophos detail dangerous ProxyShell attacks

by Joseph K. Clark

Multiple threat actors are now coalescing their activity around the ProxyShell vulnerabilities in Microsoft Exchange Server, which sparked alarm in cyber security circles in August following a botched disclosure process.

This is according to two pieces of new research from Mandiant and Sophos, which have been tracking activity around ProxyShell for several weeks now.

Mandiant said it had responded to multiple intrusions involving the exploitation of ProxyShell across various customers and industries. The widespread availability of proof-of-concept (POC) exploits was not helping matters.

“Examples of proof-of-concept [PoC] exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication,” said Mandiant’s research team in a blog post.

“Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunneling utilities to further compromise victim organizations. As of the release of this blog, Mandiant tracks eight independent clusters. Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.”

In one ProxyShell attack that its Managed Defense team responded to, a US-based university was targeted by a threat actor tracked by Mandiant as UNC2980. This is just one of several threat activity clusters that have popped up in the past few weeks and are assessed (albeit with low confidence at this point) to be a cyber-espionage op running out of China.

Mandiant said the group exploited the three common vulnerabilities and exposures (CVEs) that collectively makeup ProxyShell to upload web shells to its targets to obtain initial access. It then uses multiple publicly available tools, including Earthworm, Horan, Mimikatz, and WMIExec, to uncover and make off with its trove of stolen data.

Meanwhile, Sophos’ incident response team shared details of an investigation into a series of recent attacks by an affiliate of the Conti ransomware gang, which also used ProxyShell to establish initial access before following the standard Conti playbook.

dangerous ProxyShell attacks

Conti is not by any means the first ransomware crew to have started using ProxyShell – those deploying the new LockFile ransomware have also been making hay – but the Conti attacks tracked by Sophos were unusual because they unfolded in record time, explained Sophos Labs senior threat researcher Sean Gallagher.

“As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours,” he said.

“In the case of one of the groups of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second backup web shell. Within 30 minutes, they had generated a complete list of the network’s computers, domain controllers, and domain administrators.

“Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands,” said Gallagher. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

The Conti affiliate installed seven back doors on the target network during the attack, comprising two web shells, four commercial remote access tools – AnyDesk, Atera, Splashtop and Remote Utilities – and, inevitably, Cobalt Strike.

Gallagher urged Microsoft Exchange users to apply fixes that mitigate the ProxyShell exploits but noted that the available holes require upgrading a recent Exchange Server cumulative update, which means users must essentially reinstall Exchange and suffer a period of downtime which may be putting some off.

Related Posts

Leave a Comment