New ransomware attack going after vulnerable Microsoft Exchange servers

News
By published

A new ransomware attack highlights the importance of updating Microsoft Exchange servers.

Surface Laptop 3 13.5
Surface Laptop 3 13.5 (Image credit: Daniel Rubino/Windows Central)

What you need to know

  • A new ransomware attack is targeting vulnerable Microsoft Exchange servers.
  • The attack utilizes the same ProxyShell vulnerability exploits that were seen in the recent LockFile attacks.
  • Microsoft patched these vulnerabilities in May 2021, but attackers have found ways around these fixes.

Yet another group of attackers is targeting vulnerable Microsoft Exchange servers. This time it's a group known as Conti, which is using ProxyShell vulnerabilities to get into corporate networks. News of the attacks comes from Sophos, which was involved in an incident response case (via Bleeping Computer).

ProxyShell refers to three chained Microsoft Exchange vulnerabilities. When exploited, attackers can use it for unauthenticated, remote execution. The vulnerabilities were first discovered by Orange Tsai. The ProxyShell vulnerabilities were also said to be utilized in the recent LockFile attacks.

Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been about to reproduce the exploit (via Peter Json). Some organizations have not implemented Microsoft's patch yet, leaving servers vulnerable. Since the technical details of the vulnerabilities have been released, threat actors know how to exploit them on unpatched servers.

The attacks by Conti saw attackers compromise servers and installing tools to gain remote access to devices. The threat actors were then able to steal unencrypted data.

A worrying detail about this attack is the speed at which it was completed. "Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data," says Sophos. "After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer."

The attackers from Conti used an email from "@evil.corp," which raises several red flags.

To keep servers protected, Exchange server admins need to apply Microsoft's most recent cumulative updates.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_. 

Read more
Apple Store in Bangkok, Thailand
Microsoft flags macOS bug — remotely bypassing Apple's sophisticated System Integrity Protection (SIP) security solution and allowing unauthorized third-party rootkit installs
Binary code displayed on a laptop screen and Guy Fawkes mask are seen in this illustration photo.
Microsoft blocks critical Secure Boot loophole after over 7 months — fortifying Windows 11 against sophisticated firmware attacks camouflaged as verified UEFI apps
Outlook Client Hero
Microsoft just made Windows 10 worse, and there's (almost) nothing you can do about it
Microsoft Defender VPN
Microsoft is killing its “free” VPN with Microsoft 365 subscriptions, just days after increasing prices
Surface Pro 11
New Surface Pro details emerge as Microsoft prepares to downgrade Windows 10 and OpenAI is accused of cheating on AI benchmarks
Windows Update
Unable to install security updates after freshly installing Windows 11? You're not alone
Latest in Windows 10
Windows 10 Find My Device
How to enable Find My Device on Windows 10 to recover your PC if it's ever lost or stolen
Outlook Client Hero
Microsoft just made Windows 10 worse, and there's (almost) nothing you can do about it
Windows 10 Start menu on HP ZBook Studio G4
Microsoft will retroactively downgrade this part of Windows 10 next month
Former Microsoft Executive Vice President Terry Myerson stands in front of a presentation about Windows 10
Microsoft addresses the 'elephant in the room,' discusses upcoming end of Windows 10 support
Surface Hub 2S
Windows 10 for PCs is not the only version of Windows to reach end of support this year
Windows Insider program settings
Microsoft shuts down the Windows 10 Beta Channel just five months after reopening it
Latest in News
Cloud servers
Microsoft has killed "several" data center projects in the U.S. and Europe, according to reports — Microsoft responds (Updated)
Photo of Microsoft's new sign-in page for Xbox.com using the Microsoft Edge browser.
Over one billion users will get a new Microsoft user experience, and it has a dark mode
The Thing: Remastered key art
The Thing comes to Xbox Cloud Gaming's "Stream Your Own Game" library alongside other new arrivals
Promotional screenshot of heroes fighting a giant in Pillars of Eternity
Obsidian's classic Baldur's Gate successor 'Pillars of Eternity' is getting a surprise turn-based mode later this year, alongside other updates
Atomfall
Atomfall reviews and Metacritic scores are in: Here's a roundup of what everyone's saying about this new Game Pass survival game
Screenshot of one of the new flat world presets in Minecraft.
Minecraft testing new flat world presets and a better way to locate your friends in-game