Mandiant, Sophos detail dangerous ProxyShell attacks

by Joseph K. Clark

Multiple threat actors are now coalescing their activity around the ProxyShell vulnerabilities in Microsoft Exchange Server, which sparked alarm in cyber security circles in August following a botched disclosure process.

This is according to two pieces of new research from Mandiant and Sophos, which have been tracking activity around ProxyShell for several weeks.

Mandiant said it had responded to multiple intrusions involving the exploitation of ProxyShell across various customers and industries. The widespread availability of proof-of-concept (POC) exploits was not helping matters.

“Examples of proof-of-concept [PoC] exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication,” said Mandiant’s research team in a blog post.

Mandiant

“Mandiant has observed the exploit chain resulting in post-exploitation activities, including deploying web shells, backdoors, and tunneling utilities to compromise victim organizations further. As of the release of this blog, Mandiant tracks eight independent clusters. Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.”

In one ProxyShell attack that its Managed Defense team responded to, a US-based university was targeted by a threat actor tracked by Mandiant as UNC2980. This is just one of several threat activity clusters that have popped up in the past few weeks and are assessed (albeit with low confidence) to be a cyber-espionage op running out of China.

Mandiant said the group exploited the three common vulnerabilities and exposures (CVEs) that collectively make up ProxyShell to upload web shells to its targets to obtain initial access. It then uses multiple publicly available tools, including Earthworm, Horan, Mimikatz, and WMIExec, to uncover and make off with its trove of stolen data.

Meanwhile, Sophos’ incident response team shared details of an investigation into a series of recent attacks by an affiliate of the Conti ransomware gang, which also used ProxyShell to establish initial access before following the standard Conti playbook.

Conti is not by any means the first ransomware crew to have started using ProxyShell – those deploying the new LockFile ransomware have also been making hay – but the Conti attacks tracked by Sophos were unusual because they unfolded in record time, explained Sophos Labs senior threat researcher Sean Gallagher.

“As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours,” he said.

“In the case of one of the groups of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second backup web shell. Within 30 minutes, they generated a complete list of the network’s computers, domain controllers, and administrators.

“Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands,” said Gallagher. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

During the attack, the Conti affiliate installed seven back doors on the target network, comprising two web shells, four commercial remote access tools – AnyDesk, Atera, Splashtop, and Remote Utilities – and, inevitably, Cobalt Strike.

Gallagher urged Microsoft Exchange users to apply fixes that mitigate the ProxyShell exploits but noted that the available holes require upgrading a recent Exchange Server cumulative update, meaning users must essentially reinstall Exchange and suffer a downtime which may be putting some off.

Related Posts