“ProxyShell” vulnerabilities have caused domain-wide ransomware attacks against victims, according to new research published Monday by threat intelligence provider The DFIR Report.
ProxyShell is the name given to three Microsoft Exchange Server vulnerabilities disclosed in July that together are capable of elevating privileges and executing code remotely. According to Monday’s report, an unpatched and anonymous Exchange Server client fell victim to ransomware attacks that exploited vulnerabilities and compromised the organization’s entire domain.
The DFIR report release describes in technical detail how the threat actors dropped multiple web shells on the victim’s network, executed commands granting them system-level privileges, stole a domain administrator account, and used the BitLocker and DiskCryptor encryption software to encrypt victim systems.
“Using the stolen domain administrator account, the adversaries performed a port scan with KPortScan 3.0 and then moved laterally using RDP. Targeted servers included backup systems and domain controllers. The threat actor also deployed the FRP package to these systems after gaining access,” the post read. . “Finally, the threat actors deployed setup.bat to the servers in the environment using RDP, then used an open-source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker encryption, which rendered the hosts unusable.”
The attack did not involve any ransomware tools as a service and used “almost no malware” according to the report. Additionally, “this was a rare case of a ransomware attack where Cobalt Strike was not used or any other C2 framework.”
The ransom deadline was 48 hours, according to the DFIR report, including the time between the initial exploit and the execution of the ransomware attack. The threat actors, who were not identified in the post, demanded $8,000 from the victim.
Although ProxyShell has not reached the same prominence as the critical ProxyLogon flaws revealed earlier this year, ProxyShell attacks have increased since the vulnerabilities were discovered. That said, many servers remain unpatched.
According to a recent Shodan query of Internet-facing Exchange servers, 23,000 detected servers are not patched for ProxyShell, while around 10,000 are vulnerable to ProxyLogon. Three months ago, ProxyShell’s numbers were around 48,000 servers.
The DFIR report did not respond to SearchSecurity’s request for comment.
Alexander Culafi is a Boston-based writer, journalist, and podcaster.