Conti ransomware gang is targeting unpatched Microsoft Exchange servers

The Conti ransomware gang is actively targeting unpatched Microsoft Corp. Exchange servers through the same exploit used to target servers earlier this year.

Discovered and detailed Friday by researchers at Sophos plc, Conti is targeting networks with ProxyShell, an evolution of the ProxyLogon attack method used by the Epsilon Red ransomware gang in May. Conti affiliates have used the tool to gain access to a targeted network and set up a remote web shell.

The attacks occur at a rapid pace. In one case, minutes after installing a first web shell, a second web shell was installed. Within 30 minutes, the Conti attackers generated a complete list of the network’s computers, domain controllers and domain administrators. Four hours later, the attackers obtained the credentials of domain administrator accounts and began executing demands.

Within 48 hours of gaining access, the attackers had exfiltrated about 1 terabyte of data. Within five days, the Conti ransomware was deployed to every machine on the network, specifically targeting individual network shares on each computer.

“We want to highlight the speed at which the attack took place,” Peter Mackenzie, manager of incident response at Sophos, told SiliconANGLE. “Contrary to the typical attacker dwell time of months or weeks before they drop ransomware, in this case, the Conti attackers gained access to the target’s network and set up a remote web shell in under one minute.”

It was also found that during the course of the attack that the Conti affiliates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike and four commercial remote access tools called AnyDesk, Aterta, Splashtop and Remote Utilities. The web shells were used for early access, while Cobalt Strike and AnyDesk with the primary tools used for the rest of the attack.

The vulnerabilities were disclosed and patch by Microsoft earlier this year, but as is often the case with software updates, not all companies update their installations. Microsoft first warned that Chinese state-sponsored hackers were targeting the vulnerabilities in March. Tom Burt, corporate vice president of customer security and trust at Microsoft, noted that the best way to protect against the attacks was to apply the patches.

Many didn’t apply the patches and seemingly still haven’t today. In April, the U.S. Federal Bureau of Investigation took the unprecedented step of hacking compromised Exchange servers themselves to remove the vulnerabilities.

The Conti ransomware gang has been around since 2020 and has been linked to a range of attacks, including one targeting Ireland’s health service in May. Of note, Ireland’s police force carried out a major operation over the weekend concerning the attack. The Irish Times reports that websites, domain names and servers used in the attacks were seized.

Previous Conti victims include industrial computer manufacturer Advantech Co. Ltd. in November, VOIP hardware and software maker Sangoma Technologies Corp. in December and hospitals in Florida and Texas in February.

Conti was also the subject of an FBI warning in May that said that the gang and its affiliates were targeting healthcare providers.

Image: Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy