The ProxyShell vulnerabilities have prompted threat actors to launch domain-wide ransomware attacks against their targets, revealed a new research report from The DFIR Report.
The report, published on Monday, explained that an unnamed and unpatched MS Exchange Server customer was targeted with ransomware attacks, and attackers exploited ProxyShell vulnerabilities to compromise the organization domain-wide.
A recent search on Shodan revealed that 23,000 detected servers are still unpatched to ProxyShell, and around 10,000 are vulnerable to ProxyLogon. Three months back, the ProxyShell numbers were approx. 48,000 servers.
Technical Details of the Attack
According to The DFIR Report, in the identified attack, threat actors dropped multiple web shells across the victim’s network, executed commands to obtain system-level privileges, stole domain administrator’s account, and used DiskCryptor and BitLocker encryption software to encrypt victim’s systems.
Through the stolen Doman Admin account, threat actors managed to perform port scanning with KPortScan 3.0, and for lateral movement, they used
Read the article