Three minutes later, they installed a second, backup web shell. In the case of one of the group of ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July.Īs attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. ProxyShell represents an evolution of the ProxyLogon attack method. The attacker otherwise closely followed the game plan laid out in a recently leaked set of documentation attributed to Conti’s operators. An investigation into recent attacks by a Conti affiliate reveals that that the attackers initially accessed targeted organizations’ networks with ProxyShell, an exploit of vulnerabilities in Microsoft Exchange that have been the subject of multiple critical updates over the past several months.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |