The Conti ransomware gang is actively targeting unpatched Microsoft Corp. Exchange servers through the same exploit used to target servers earlier this year.

Discovered and detailed Friday by researchers at Sophos plc, Conti is targeting networks with ProxyShell, an evolution of the ProxyLogon attack method used by the Epsilon Red ransomware gang in May. Conti affiliates have used the tool to gain access to a targeted network and set up a remote web shell.

The attacks occur at a rapid pace. In one case, minutes after installing a first web shell, a second web shell was installed. Within 30 minutes, the Conti attackers generated a complete list of the network’s computers, domain controllers and domain administrators. Four hours later, the attackers obtained the credentials of domain administrator accounts and began executing demands.

Within 48 hours of gaining access, the attackers had exfiltrated about 1 terabyte of data. Within five days, the Conti ransomware was deployed to every machine on the network, specifically targeting individual network shares on each computer.

“We want to highlight the speed at which the attack took place,” Peter Mackenzie, manager of incident response at Sophos, told SiliconANGLE. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.”

It was also found that during the course of the attack that the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike and four commercial remote access tools called AnyDesk, Aterta, Splashtop and Remote Utilities. The web shells were used for early access, while Cobalt Strike and AnyDesk with the primary tools used for the rest of the attack.

The vulnerabilities were disclosed and patch by Microsoft earlier this year, but as is often the case with software updates, not all companies update their installations. Microsoft first warned that Chinese state-sponsored hackers were targeting the vulnerabilities in March. Tom Burt, corporate vice president of customer security and trust at Microsoft, noted that the best way to protect against the attacks was to apply the patches.

Many didn’t apply the patches and seemingly still haven’t today. In April, the U.S. Federal Bureau of Investigation took the unprecedented step of hacking compromised Exchange servers themselves to remove the vulnerabilities.

The Conti ransomware gang has been around since 2020 and has been linked to a range of attacks, including one targeting Ireland’s health service in May. Of note, Ireland’s police force carried out a major operation over the weekend concerning the attack. The Irish Times reports that websites, domain names and servers used in the attacks were seized.

Previous Conti victims include industrial computer manufacturer Advantech Co. Ltd. in November, VOIP hardware and software maker Sangoma Technologies Corp. in December and hospitals in Florida and Texas in February.

Conti was also the subject of an FBI warning in May that said that the gang and its affiliates were targeting healthcare providers.

Image: Microsoft