Admins should close the proxy shell gaps in the Exchange server with security updates.
The cyber criminals are currently targeting Exchange servers and are using Conti Ransomware to encrypt business data. Security updates have been available since April.
Sophos cites in their report that they have observed attacks where cybercriminals use the proxyshell known vulnerabilities considered “critical” (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to systematically spread across the network and install malware. This allows cybercriminals to bypass authentication by using the chess site and attacking remotely. They gain increased user rights and can install their own code in the system.
The researchers at Sophos talk about the fact that cyber criminals left seven backdoors in the system for later access in a few days. They copied 1 TB of data and enabled the Conti encryption trojan.
The autodiscovery feature is used by cyber criminals, typically with a request like
https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com.
For example, admins can search log files under /autodiscover/autodiscover.json for unknown email addresses to detect attacks.
Schindler IT-Solutions GmbH – certified consultants, Sophospartners and.
We are a member of the cybersecurity hotline 0800 888 133 which has been focusing on data security for more than 20 years.