Conti Group Exploited Vulnerable Microsoft Exchange Servers

According to cybersecurity consultancy firm Pondurance, the Conti ransomware gang is now using backdoors that are still active. On-premises Microsoft Exchange email servers that have been patched are still vulnerable. 

Pondurance researchers stated, “Despite patching, thousands of devices might still be compromised”. Conti appears to be targeting firms that patched the Exchange issues initially attacked by Chinese attackers but failed to detect and remove the backdoor access that had already been installed.

On March 4th, Microsoft released emergency fixes for four vulnerabilities in its on-premises Exchange email servers. The Biden administration officially accused a group working for China’s Ministry of State Security in July of running a string of attacks against vulnerable Microsoft Exchange email servers this year that disrupted thousands of firms in the United States and around the globe. 

The US has not authorized China for its aggressive cyber operations, according to Anne Neuberger, the US deputy national security advisor for cyber and emerging technologies, who stated last week that the US is first aiming to establish an international consensus on how to respond. 

Meanwhile, Chinese advanced persistent threat organizations have been discovered abusing vulnerabilities in Microsoft Exchange servers to breach telecommunications provider networks in Southeast Asia in an attempt to capture confidential communications from customers. 

The Pondurance researchers discovered one instance in which an unlicensed and exploited remote monitoring and management agent was deployed on an on-premises Exchange server. 

“The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine,” Pondurance says. “In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware.” 

According to the researchers, the company patched Exchange without first ensuring that any previously established backdoor access had been deleted. 

“Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point,” Pondurance stated.

“These services should be present within the registry and would have generated ‘Service Created’ event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under ‘C:ProgramData,’ ‘C:Program Files (x86),’ and ‘C:WindowsTemp.'” 

Fat Face, a British clothing and accessory retailer paid Conti a $2 million ransom in March to unlock its computers after Conti accessed numerous files containing sensitive data. The organization has also been linked to healthcare-related attacks. After a Conti ransomware assault on Ireland’s Health Service Executive in May, the FBI issued a warning to healthcare institutions and first responder networks, urging them to take precautions to avoid being a victim. 

Furthermore, after complaining about the profit share, a dissatisfied Conti affiliate reportedly released important training material from the ransomware group. Conti, a ransomware-as-a-service group, recruits affiliates to hack networks and encrypt devices in exchange for a cut of the ransom money.

According to Bleeping Computer, a security researcher published a post written by an outraged Conti affiliate who publicly exposed information about the ransomware campaign. 

According to the study, this information contains IP addresses for Cobalt Strike C2 servers as well as a 113 MB package including many tools and training materials for conducting ransomware operations. As per the Bleeping Computer report, the affiliate also wrote on a prominent Russian-speaking hacking site claiming he had been paid $1,500 as part of an attack, while the gang members made millions.