Conti Ransomware Now targeting Exchange Servers with ProxyShell Exploits

The Conti Ransomware Group is now targeting Microsoft Exchange servers and hijacking corporate networks by utilizing revealed ProxyShell vulnerability exploits. ProxyShell is the name of an exploit using three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that allowed unauthenticated, remote code execution on unpatched vulnerable servers.

These three vulnerabilities were founded by Devcore’s Orange Tsai, who utilized them as a part of the Pwn2Own 2021 hacking contest.

While Microsoft fully patched these vulnerabilities in May 2021, technical information regarding exploiting the vulnerabilities was currently released, permitting the threat actors to begin utilizing them in attacks. So far, we have seen threat actors utilizing the ProxyShell vulnerabilities to drop web shells, backdoors, and to set up the LockFile ransomware.

Conti is now utilizing ProxyShell to Hijack Networks

Last Week, Sophos was included in an incident reverts case where the Conti ransomware group encoded a consumer. After examining the attack, Sophos founded that the attackers starting negotiated the network using the current revealed Microsoft Exchange ProxyShell vulnerabilities.   

Such as the most recent Microsoft Exchange attacks, the attackers first leave the web shells to utilize to run commands, download software and further negotiate the server. Once the attackers access the complete control of the server, Sophos observed them quickly failing into their standard technologies as outlined in the currently revealed Conti training material.

This schedule consists of getting lists of domain admins and systems, dumping LSASS to achieve access to administrator passwords, and transmitting alongside throughout the network to other servers. As the threat actors negotiate various servers, they would install multiple tools to give remote access to the devices, like Anydesk and Cobalt Strike beacons.


After achieving a foothold on the network, the attackers hijack the unencrypted information and uploaded it to the MEGA file sharing server. After five days, they start encrypting the devices on the network from a server with no antivirus protection using the given command:

Command: start C:\x64.exe -m -net -size 10 -nomutex -p \\[computer Active Directory name]\C$    

What makes this appropriate case stand out was the speed and precision the group conducted the attack, where it only took 48 hours from the initial breach to stealing 1 TB of data.

“Within 48 hours of getting that primary access, the attackers had exfiltrated about 1 Terabyte of data. After five days had passed, they expanded the Conti ransomware to every machine on the network, specifically targeting individual network shares on each computer,” explained Sophos in their report.

“Throughout the intervention, the Conti associates installed no fewer than seven back doors on the network: two web shells, Cobalt Strike, and four commercial remote access tools like AnyDesk, Atera, Splashtop, and Remote Utilities.”

“The web shells, installed early on, were used mainly for initial access; Cobalt Strike and Any Desk were the primary tools they used for the remainder of the attack.”    

How to Patch Your Exchange Servers?

When initiating the attacks using ProxyShell, the attackers target the auto-discover service by generating the requests like the following:

Command: https://Exchange-server/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]   

To check whether your Exchange Server has been targeted, you can analyze IIS logs for requests to “/autodiscover/autodiscover.json” with strange or unknown emails.

In the Conti case monitored by the Sophos, the attackers used an email from @evil.corp, which should easily make the harmful attempts stand out.


Without any doubt, the ProxyShell vulnerabilities are being utilized by a broad range of attackers at this time, and all the Microsoft Exchange server admins requirements to apply the most recent aggregate release to stay secured.

Unluckily, this will mean mail downtime as the release is installed. But, this is far better than the downtime and values that a successful ransom attack will acquire.           

Leave a Reply