The ProxyShell vulnerabilities have prompted threat actors to launch domain-wide ransomware attacks against their targets, revealed a new research report from The DFIR Report.
The report, published on Monday, explained that an unnamed and unpatched MS Exchange Server customer was targeted with ransomware attacks, and attackers exploited ProxyShell vulnerabilities to compromise the organization domain-wide.
A recent search on Shodan revealed that 23,000 detected servers are still unpatched to ProxyShell, and around 10,000 are vulnerable to ProxyLogon. Three months back, the ProxyShell numbers were approx. 48,000 servers.
Technical Details of the Attack
According to The DFIR Report, in the identified attack, threat actors dropped multiple web shells across the victim’s network, executed commands to obtain system-level privileges, stole domain administrator’s account, and used DiskCryptor and BitLocker encryption software to encrypt victim’s systems.
Through the stolen Doman Admin account, threat actors managed to perform port scanning with KPortScan 3.0, and for lateral movement, they used RDP. Targeted servers include backup systems and domain controllers. Furthermore, the threat actor deployed the FRP package after gaining access to these systems.
“Finally, the threat actors deployed setup.bat across the servers in the environment using RDP and then used an open-source