Two ransomware gangs separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year to steal and hold data hostage, although security updates to prevent successful attacks had been issued months earlier.
Researchers at Sophos, who this week published details about the attacks that used the ProxyShell exploits, wouldn’t name the mid-sized provider or even the province in which it operated. But it was big enough that one group exfiltrated 52 gigabytes of archived files.
“This is the first time we’ve seen two ransomware attacks both using ProxyShell,” said Sean Gallagher, a senior Sophos threat researcher based in Baltimore, said in an interview.
The report says that on August 10, 2021, either the Karma ransomware group or an access broker found and exploited the unpatched Microsoft Exchange server. That led to the installation and exploitation of an Exchange Management shell to create an administrative account.
Nothing more happened until November, when that account was used for further compromise through Microsoft’s remote desktop protocol (RDP), which led to the collection of 52 GB of data. While Karma demanded payment on December 3rd for the return of the copied data, it didn’t encrypt any of the remaining data or hold it for ransom because the victim was a healthcare organization.
The institution wasn’t as lucky with the Conti ransomware gang. On November 25th someone exploited the ProxyShell vulnerabilities again to access the same Exchange server and drop a web shell. On December 1, the attacker used a compromised local administrator account to download and install Cobalt Strike beacons on a server for communications, then executed PowerShell scripts to spread laterally across the network. Within days, a compromised admin account was used to siphon files from a primary file server using RDP, after which a Chrome browser was installed to help exfiltrate some 10GB of data. The Conti ransomware was deployed the next day (December 4), and encrypted the institution’s files.
“Karma took the time to pick and choose data – they were on the network for a longer period of time,” noted Gallagher. “Once they discovered it was a healthcare organization, they decided to do single extortion” for the stolen data and not add ransomware.
“Conti just wanted enough data to use as additional blackmail, and then encrypted everything. Their focus was coming in quickly and doing damage.”
To the best of his knowledge the organization has now restored operations. He didn’t know if ransoms were paid.
ProxyShell consists of three vulnerabilities which, chained together, allow a remote attacker to run code on an unpatched server. Microsoft issued patches in April and May, 2021 to fix the holes.
However, a number of organizations took their time applying the patches. In August, after a proof of concept exploit was published, a wave of attacks on Exchange servers began. One of the earliest groups to spread the alarm was researchers at Huntress Labs, who put out a warning on August 19th.
Despite network monitoring and some malware defences, says the Sophos report, both attackers in this case were able to largely accomplish their tactical goals. Only a few systems had malware protection at the time of the Conti attack, as the healthcare provider had not yet had time to deploy it. In the few cases where malware protection had been deployed, ransomware protection detected Conti launching. But, the report says, the ransomware was largely run from servers without protection.
Between the two attacks, a number of things went wrong: The Exchange server remained unpatched against these vulnerabilities; local administrator accounts were compromised and privileges escalated, including one that was brute-forced; and RDP was used for remote access.
Having endpoint protection on the servers, multifactor authentication to protect accounts, and behavioural analysis software, as well as blocking PowerShelll from running scripts could have stopped these attacks, Gallagher said.
“Part of the problem was lack of defence in depth. You can say it was a mistake they hadn’t patched the [Exchange] server. There are many organizations — especially healthcare organizations – that are in a similar boat: Their IT staff are stretched thin. The biggest problem is they had minimal defences against malware and lateral movement. They had Windows Defender on some of the endpoints. They didn’t really have malware protection on the servers. That’s a common problem: Either people operate on the assumption that servers are safe because you don’t view web pages or download and view email on them, or they thought that malware protection causes problems that lower application performance. But that means the malware can use servers as a safe haven to execute across the network and attack systems that have malware protection through remote network shares.”
The attacks were preventable, he said, “but unfortunately we frequently see this scenario play out, where an organization hasn’t fully prepared their environment to be protected against modern threats. A lot of people think of malware as stuff you get in emails or you get when you go to a bad website. They don’t think of attacks using vulnerabilities in internet-facing services.”