New ransomware attack going after vulnerable Microsoft Exchange servers
A new ransomware attack highlights the importance of updating Microsoft Exchange servers.
What you need to know
- A new ransomware attack is targeting vulnerable Microsoft Exchange servers.
- The attack utilizes the same ProxyShell vulnerability exploits that were seen in the recent LockFile attacks.
- Microsoft patched these vulnerabilities in May 2021, but attackers have found ways around these fixes.
Yet another group of attackers is targeting vulnerable Microsoft Exchange servers. This time it's a group known as Conti, which is using ProxyShell vulnerabilities to get into corporate networks. News of the attacks comes from Sophos, which was involved in an incident response case (via Bleeping Computer).
ProxyShell refers to three chained Microsoft Exchange vulnerabilities. When exploited, attackers can use it for unauthenticated, remote execution. The vulnerabilities were first discovered by Orange Tsai. The ProxyShell vulnerabilities were also said to be utilized in the recent LockFile attacks.
Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been about to reproduce the exploit (via Peter Json). Some organizations have not implemented Microsoft's patch yet, leaving servers vulnerable. Since the technical details of the vulnerabilities have been released, threat actors know how to exploit them on unpatched servers.
The attacks by Conti saw attackers compromise servers and installing tools to gain remote access to devices. The threat actors were then able to steal unencrypted data.
A worrying detail about this attack is the speed at which it was completed. "Within 48 hours of gaining that initial access, the attackers had exfiltrated about 1 Terabyte of data," says Sophos. "After five days had passed, they deployed the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer."
The attackers from Conti used an email from "@evil.corp," which raises several red flags.
To keep servers protected, Exchange server admins need to apply Microsoft's most recent cumulative updates.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.