Admins should close the proxy shell gaps in the Exchange server with security updates.
The cyber criminals are currently targeting Exchange servers and are using Conti Ransomware to encrypt business data. Security updates have been available since April.
Sophos cites in their report that they have observed attacks where the cybercriminals use the ProxyShell known critical vulnerabilities CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to systematically spread across the network and install malware. This allows cybercriminals to bypass authentication by using the checkpoint and attacking remotely. They gain increased user rights and can install their own code in the system.
The researchers at Sophos talk about the fact that cyber criminals left seven backdoors in the system for later access in a few days. They copied 1 TB of data and enabled the Conti encryption trojan.
The autodiscovery feature is used by cyber criminals, typically with a request like
https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com
For example, admins can search log files under /autodiscover/autodiscover.json for unknown email addresses to detect attacks.
Schindler IT-Solutions GmbH – Certified consultants, Sophos partner and
Member of the Cybersecurity Hotline 0800 888 133 has been focusing on data security for more than 20 years.