Mandiant, Sophos detail dangerous ProxyShell attacks

Multiple threat actors are now coalescing their activity around the ProxyShell vulnerabilities in Microsoft Exchange Server, which sparked alarm in cyber security circles in August following a botched disclosure process.

This is according to two pieces of new research from Mandiant and Sophos, which have both been tracking activity around ProxyShell for several weeks now.

Mandiant said it had responded to multiple intrusions involving the exploitation of ProxyShell across various customers and industries, and that the widespread availability of proof-of-concept (PoC) exploits was not helping matters.

“Examples of proof-of-concept [PoC] exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication,” said Mandiant’s research team in a blog post.

“Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunnelling utilities to further compromise victim organisations. As of the release of this blog, Mandiant tracks eight independent clusters. Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.”

In one ProxyShell attack that its Managed Defense team responded to, a US-based university was targeted by a threat actor tracked by Mandiant as UNC2980. This is just one of a number of threat activity clusters that has popped up in the past few weeks, and is assessed (albeit with low confidence at this point) to be a cyber-espionage op running out of China

Mandiant said the group was exploiting the three common vulnerabilities and exposures (CVEs) that collectively make up ProxyShell to upload web shells to its targets in order to obtain initial access. It then uses multiple publicly-available tools, including Earthworm, Htran, Mimikatz, and WMIExec, to uncover and make off with its trove of stolen data.

Meanwhile, Sophos’ incident response team shared details of an investigation into a series of recent attacks by an affiliate of the Conti ransomware gang, which also used ProxyShell to establish initial access prior to following the standard Conti playbook.

Conti is not by any means the first ransomware crew to have started using ProxyShell – those deploying the new LockFile ransomware have also been making hay – but the Conti attacks tracked by Sophos were unusual because they unfolded in record time, explained Sophos Labs senior threat researcher Sean Gallagher.

“As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours,” he said.

“In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. Three minutes later, they installed a second, backup web shell. Within 30 minutes they had generated a complete list of the network’s computers, domain controllers, and domain administrators.

“Just four hours later, the Conti affiliates had obtained the credentials of domain administrator accounts and began executing commands,” said Gallagher. “Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer.”

During the course of the attack, the Conti affiliate installed seven back doors on the target network, comprising two web shells, four commercial remote access tools – AnyDesk, Atera, Splashtop and Remote Utilities – and, inevitably, Cobalt Strike.

Gallagher urged Microsoft Exchange users to apply fixes that mitigate the ProxyShell exploits, but noted that the available fixes require upgrading a recent Exchange Server cumulative update, which means users must essentially reinstall Exchange and suffer a period of downtime, which may be putting some off.