Getty Images

ProxyShell leads to domain-wide ransomware attack

The domain-wide ransomware attack utilized "almost no malware," and the threat actor accomplished the attack with the months-old ProxyShell vulnerabilities.

The "ProxyShell" vulnerabilities have caused domain-wide ransomware attacks against victims, according to new research released Monday by threat intelligence provider The DFIR Report.

ProxyShell is the name given to three Microsoft Exchange Server vulnerabilities disclosed in July that, together, are capable of privilege escalation and remote code execution. According to Monday's report, an unpatched and unnamed Exchange Server customer was victim to ransomware attacks that exploited the vulnerabilities and compromised the organization domain-wide.

The DFIR Report post describes in technical detail how the threat actors dropped multiple web shells across the victim's network, executed commands granting them system-level privileges, stole a domain administrator account, and used BitLocker and DiskCryptor encryption software to encrypt victim systems.

"Using the stolen Domain Admin account, adversaries performed port scanning with KPortScan 3.0 and then moved laterally using RDP. Targeted servers included backup systems and domain controllers. The threat actor also deployed the FRP package to these systems after gaining access," the post read. "Finally, the threat actors deployed setup.bat across the servers in the environment using RDP and then used an open source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker encryption, which resulted in the hosts being inoperable."

The attack did not involve any ransomware-as-a-service tools, and it utilized "almost no malware" according to the report. Moreover, "It was a rare occurrence of a ransomware attack where Cobalt Strike was not used or any other C2 framework."

The time to ransom was 48 hours, according to The DFIR Report, including the time from initial exploitation to the ransomware attack's execution. The threat actors, who were not identified in the post, demanded $8,000 from the victim.

Though ProxyShell hasn't reached the same prominence as the critical ProxyLogon flaws disclosed earlier this year, ProxyShell attacks have been on the rise since the vulnerabilities were first discovered. That said, many servers remain unpatched.

According to a recent Shodan query of internet-facing Exchange servers, 23,000 detected servers are unpatched to ProxyShell, while around 10,000 are vulnerable to ProxyLogon. Three months ago, the ProxyShell numbers were at approximately 48,000 servers.

The DFIR Report did not respond to SearchSecurity's request for comment.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Malware vs. ransomware: What's the difference?

ProxyShell vs. ProxyLogon: What's the difference?

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing