Exchange server attacks don’t stop – attackers install 7 backdoors

Exchange server attacks don't stop - attackers install 7 backdoors

Attackers are currently targeting Microsoft Exchange Server again. After successful attacks, they place back doors in systems, copy business information and encrypt data with the Conti ransomware. Security patches have been available since April.

In a report, Sophos security researchers say that they have observed attacks in which attackers after exploiting the as “criticalSystematically spread the vulnerabilities named ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in networks and install malicious code. If attackers combine the vulnerabilities, they can attack systems remotely, bypass authentication, obtain increased user rights and execute their own code.

The researchers state that the attackers left seven backdoors in the system for later access within a few days. They also copied 1 terabyte of data and let the Conti encryption Trojans off the leash.

For attacks, attackers use the vulnerable autodiscovery function. Typically this happens with requests like this:

https://Exchange-server/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]

Under /autodiscover/autodiscover.json, admins can search log files for unknown e-mail addresses in order to detect attempted attacks. In the current case, addresses should appear with @ evil.corp.

The tools of the Conti ransomware are like a Swiss army knife of the attacker and they offer extremely diverse attack possibilities.

(Image: Sophos)

Since installing the security patches that have been available since April amounts to an upgrade and e-mails via Exchange Server do not arrive or go out during this period, some admins have obviously not yet installed the updates. That should happen now at the latest. The risk emanating from the gaps is very high and attackers have been actively exploiting the ProxyShell vulnerabilities for around a month.


Leave a Reply

Your email address will not be published.