ProxyShell leads to a domain-wide ransomware attack
The “proxyshell leads” vulnerability has led to domain-wide ransomware attacks on victims. According to a new study released Monday by the threat intelligence provider DFIR report
ProxyShell name given to three Microsoft Exchange Server vulnerabilities revealed in July. that together are capable of elevating privileges and executing code remotely. According to Monday’s report, an unpatched and anonymous Exchange Server client was the victim of ransomware attacks that exploited the vulnerabilities and compromised the entire domain of the organization.
The DFIR report publication describes in technical detail
The technical details are described in the DFIR report on the publication. How do the threatening artists put multiple web shells on the victim’s network? Implementing system-level privileges. The domain administrator steals the account and uses BitLocker and DiskCryptor encryption software to encrypt the victim’s systems.
Using the stolen domain administrator account, adversaries performed a port scan with KPortScan 3.0, then moved sideways using RDP. The targeted servers include backup systems and domain controllers. According to the post, after successful access, the attacker further deployed the FRP package on the same systems, “, then, after deploying setup.bat to the environment’s servers using RDP, proceeded to utilize an open-source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker encryption, which made the hosts inoperable.
The attack did not involve any ransomware as a service and used “almost no malware” according to the report. Additionally, “This was a rare case of a ransomware attack where Cobalt Strike does not use any other C2 framework.
The ransom period was 48 hours, according to the DFIR report, including the time between the initial exploitation and the execution of the ransomware attack. So ProxyShell Leads The threat actors, who not identifying in the message, demanded $ 8,000 from the victim.
While ProxyShell has not reached the same level of significance as the critical ProxyLogon vulnerabilities published earlier in the year, ProxyShell attacks have been increasing since it was first discovered.
We had one intrusion where an attacker used multiple Exchange
We found a compromise where an attacker used several Exchange ProxyShell Leads vulnerabilities to delete multiple web shells. In three days, three different web shells deposite in publicly accessible directories.
After gaining a foothold on the Exchange system, threat actors began discovery by running commands such as IP config, net, ping, system info, and others, using previously removed web shells. This initial battery of discoveries included a network call to them showtimes [.] Com. The threat actors repeated these tests twice in the first two days. Day three began with the second stage of the intrusion
Commands executed by Web Shell run with system-level privileges. So the dangerous artists took advantage. And built-in default account enabled.
The Password is set and added to groups of administrator and remote desktop users. The threat actors then ditched Plink and established an SSH tunnel to expose RDP on the tunnel. They then connected to the Exchange server through RDP using the DefaultAccount account.
Within minutes of transfer, the adversaries execute install-proxy.bat. After creating two directories, CacheTask.bat, dllhost.exe, and RuntimeBroker.exe moved into their respective directories. A scheduled task is set to run the install-proxy.bat. The install subsequently created a network-persistent state through Fast Reverse Proxy (FRP) and proxied all RDP traffic during this intrusion.
To encrypt the workstations, This downloads on workstations via RDP sessions and then runs to install the utility and configure encryption. The utility required a reboot to install a kernel-mode driver, and then another reboot to lock down access to the workstations.
Leave A Comment