Domain server

ProxyShell leads to domain-wide ransomware attack

The “ProxyShell” vulnerabilities have triggered domain-wide ransomware attacks against victims, according to a new study released Monday by threat intelligence provider The DFIR Report.

ProxyShell is the name given to three Microsoft Exchange Server vulnerabilities revealed in July that together are capable of elevating privileges and executing code remotely. According to Monday’s report, an unpatched and anonymous Exchange Server client was the victim of ransomware attacks that exploited the vulnerabilities and compromised the entire domain of the organization.

The DFIR Report article describes in detail how the threat authors dropped multiple web shells on the victim’s network, executed commands granting them system-level privileges, stole a domain administrator account, and used BitLocker encryption software and DiskCryptor to encrypt victim’s systems.

“Using the stolen domain administrator account, adversaries performed a port scan with KPortScan 3.0, then moved sideways using RDP. Targeted servers included backup systems and domain controllers. The threat actor also deployed the FRP package to these systems after gaining access, ”the post read. . “Finally, the malicious actors deployed setup.bat to the environment’s servers using RDP, then used an open source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker encryption, which made the hosts inoperable. “

The attack did not involve any ransomware as a service and used “almost no malware” according to the report. Additionally, “this was a rare case of a ransomware attack where Cobalt Strike was not used or any other C2 framework. “

The ransom period was 48 hours, according to the DFIR report, including the time between the initial exploitation and the execution of the ransomware attack. The threat actors, who were not identified in the message, demanded $ 8,000 from the victim.

While ProxyShell has not achieved the same significance as the critical ProxyLogon flaws disclosed earlier this year, ProxyShell attacks have been on the rise since the vulnerabilities were first discovered. That said, many servers are still not patched.

According to a recent Shodan query of the Exchange servers connected to the Internet, 23,000 detected servers are not patched for ProxyShell, while approximately 10,000 are vulnerable to ProxyLogon. Three months ago, ProxyShell numbers were around 48,000 servers.

The DFIR report did not respond to SearchSecurity’s request for comment.

Alexander Culafi is a Boston-based writer, journalist and podcaster.