kras99 - stock.adobe.com

Symantec: Staging activity observed on Exchange servers

Threat actors appear to be targeting Microsoft Exchange servers with pre-ransomware activity, including one attempt to exfiltrate data.

Early ransomware staging signs have been spotted against Microsoft Exchange servers.

In a security bulletin Wednesday, Symantec warned of potential pre-ransomware activity targeting the email platform. The software vendor said it "observed" attempts by threat actors to install "legitimate remote control software" and tools on the targeted networks of several U.S. sectors, including energy and healthcare. Threat actors also tried to exfiltrate data from at least one target using Rclone. The Open Source application can be effective in leveraging double extortion tactics.

The final payload of this campaign, according to Symantec, remains unknown. However, it mimics the activity of a known ransomware gang.

"The observed pre-encryption attack chain and tools are consistent with public reports of recent Conti ransomware activity," the advisory said.

That includes Cobalt Strike and credential theft tools like Mimikatz, as well as network and domain discovery tools. Past Conti attacks have leveraged Cobalt Strike.

Conti gained attention after ongoing attacks against U.S. companies and hospitals prompted an alert from the FBI in May. That same month, Conti hit data backup specialist ExaGrid for $2.6 million after exfiltrating a variety of data, including employee records. It appears the situation is only escalating.

On Wednesday, a joint advisory by the Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency (NSA) warned of "increased Conti ransomware attacks."

While operators behind the pre-ransomware activity have not been confirmed, the staging activity has. Security researcher Kevin Beaumont took to Twitter Wednesday to separately verify Broadcam's report.

Last month, Beaumont tracked another issue discovered in Microsoft Exchange servers, a chain of attacks that actively exploited three different flaws known as ProxyShell. The high-severity flaws enabled remote code execution and two scored 9.8 on the common vulnerabilities and scoring system. Exchange servers were also affected by ProxyLogon, a server-side request forgery flaw. Though all four vulnerabilities were disclosed and patched, servers remained vulnerable.

It is unknown whether the threat actors mentioned in Symantec's report are exploiting any of the Proxy flaws.

Dig Deeper on Network security