Two ransomware gangs separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year to steal and hold data hostage, although security updates to prevent successful attacks had been issued months earlier.<\/p>\n
Researchers at Sophos, who this week published details about the attacks<\/a> that used the ProxyShell exploits, wouldn\u2019t name the mid-sized provider or even the province in which it operated. But it was big enough that one group exfiltrated 52 gigabytes of archived files.<\/p>\n \u201cThis is the first time we\u2019ve seen two ransomware attacks both using ProxyShell,\u201d said Sean Gallagher, a senior Sophos threat researcher based in Baltimore, said in an interview.<\/p>\n The report says that on August 10, 2021, either the Karma ransomware group or an access broker found and exploited the unpatched Microsoft Exchange server. That led to the installation and exploitation of an Exchange Management shell to create an administrative account.<\/p>\n Nothing more happened until November, when that account was used for further compromise through Microsoft\u2019s remote desktop protocol (RDP), which led to the collection of 52 GB of data. While Karma demanded payment on December 3rd for the return of the copied data, it didn\u2019t encrypt any of the remaining data or hold it for ransom because the victim was a healthcare organization.<\/p>\n The institution wasn\u2019t as lucky with the Conti ransomware gang. On November 25th<\/sup> someone exploited the ProxyShell vulnerabilities again to access the same Exchange server and drop a web shell. On December 1, the attacker used a compromised local administrator account to download and install Cobalt Strike beacons on a server for communications, then executed PowerShell scripts to spread laterally across the network. Within days, a compromised admin account was used to siphon files from a primary file server using RDP, after which a Chrome browser was installed to help exfiltrate some 10GB of data. The Conti ransomware was deployed the next day (December 4), and encrypted the institution\u2019s files.<\/p>\n \u201cKarma took the time to pick and choose data \u2013 they were on the network for a longer period of time,\u201d noted Gallagher. \u201cOnce they discovered it was a healthcare organization, they decided to do single extortion\u201d for the stolen data and not add ransomware.<\/p>\n \u201cConti just wanted enough data to use as additional blackmail, and then encrypted everything. Their focus was coming in quickly and doing damage.\u201d<\/p>\n To the best of his knowledge the organization has now restored operations. He didn\u2019t know if ransoms were paid.<\/p>\n ProxyShell<\/a> consists of three vulnerabilities which, chained together, allow a remote attacker to run code on an unpatched server. Microsoft issued patches in April and May, 2021 to fix the holes.<\/a><\/p>\n However, a number of organizations took their time applying the patches. In August, after a proof of concept exploit was published, a wave of attacks on Exchange servers began. One of the earliest groups to spread the alarm was researchers at Huntress Labs, who put out a warning on August 19th<\/sup>.<\/p>\n Despite network monitoring and some malware defences, says the Sophos report, both attackers in\u00a0this\u00a0case were able to largely accomplish their tactical goals. Only a few systems had malware protection at the time of the Conti attack, as the healthcare provider had not yet had time to deploy it. In the few cases where\u00a0malware protection\u00a0had been deployed, ransomware protection detected Conti launching. But, the report says, the ransomware was largely run from servers without protection.<\/p>\n Between the two attacks, a number of things went wrong: The Exchange server remained unpatched against these vulnerabilities; local administrator accounts were compromised and privileges escalated, including one that was brute-forced; and RDP was used for remote access.<\/p>\n Having endpoint protection on the servers, multifactor authentication to protect accounts, and behavioural analysis software, as well as blocking PowerShelll from running scripts could have stopped these attacks, Gallagher said.<\/p>\n \u201cPart of the problem was lack of defence in depth. You can say it was a mistake they hadn\u2019t patched the [Exchange] server. There are many organizations — especially healthcare organizations \u2013 that are in a similar boat: Their IT staff are stretched thin. The biggest problem is they had minimal defences against malware and lateral movement. They had Windows Defender on some of the endpoints. They didn\u2019t really have malware protection on the servers. That\u2019s a common problem: Either people operate on the assumption that servers are safe because you don\u2019t view web pages or download and view email on them, or they thought that malware protection causes problems that lower application performance. But that means the malware can use servers as a safe haven to execute across the network and attack systems that have malware protection through remote network shares.\u201d<\/p>\n The attacks were preventable, he said, \u201cbut unfortunately we frequently see this scenario play out, where an organization hasn\u2019t fully prepared their environment to be protected against modern threats. A lot of people think of malware as stuff you get in emails or you get when you go to a bad website. They don\u2019t think of attacks using vulnerabilities in internet-facing services.\u201d<\/p>\n The post Canadian healthcare provider\u2019s unpatched Exchange server exploited twice by ransomware gangs<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Report from Sophos shows the cost of not patching fast, as well as not having malware protection on servers<\/p>\n The post Canadian healthcare provider\u2019s unpatched Exchange server exploited twice by ransomware gangs<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"author":17,"featured_media":4798,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16,28],"tags":[391,408,396,388,392,393,409,275],"class_list":["post-20319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-software","tag-di","tag-healthcare","tag-postmedia","tag-privacy-security","tag-ransomware","tag-security-strategies","tag-sophos","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/20319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=20319"}],"version-history":[{"count":1,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/20319\/revisions"}],"predecessor-version":[{"id":20320,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/20319\/revisions\/20320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/4798"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=20319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=20319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=20319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}