In a detailed report by Red Canary, researchers analyzed a BlackByte ransomware attack where they saw them exploiting the ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server.
ProxyShell is a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.
Web Shells allow a threat actor to gain persistence to a device and remotely execute commands or upload additional files to the server.
The planted web shell is then utilized to drop a Cobalt Strike beacon on the server, injected into the Windows Update Agent process. The widely abused penetration testing tool is then used for dumping credentials for a service account on the compromised system. Finally, after taking over the account, the adversaries install the AnyDesk remote access tool and then proceed to the lateral movement stage.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.