Canadian healthcare provider’s unpatched Exchange server twice exploited by ransomware gangs
Two ransomware gangs separately exploited an unpatched on-premises Microsoft Exchange server at a Canadian healthcare provider last year to steal and hold data hostage, though security updates to prevent successful attacks were implemented. been published months earlier.
Sophos researchers, who this week published details of attacks that used ProxyShell exploits, did not name the midsize provider or even the province in which it operated. But it was big enough for a group to exfiltrate 52 gigabytes of archived files.
“This is the first time we’ve seen two ransomware attacks using ProxyShell,” Baltimore-based Sophos senior threat researcher Sean Gallagher said in an interview.
The report states that on August 10, 2021, either the Karma ransomware group or an access broker found and exploited the unpatched Microsoft Exchange Server. This led to the installation and operation of an Exchange management shell to create an administrator account.
Nothing more happened until November, when this account was used for further compromise via Microsoft’s Remote Desktop Protocol (RDP), which led to the collection of 52 GB of data. While Karma demanded payment on December 3 for the return of the copied data, it did not encrypt any of the remaining data or hold it for ransom because the victim was a healthcare organization.
The institution was not so lucky with the Conti ransomware gang. November 25and someone again exploited ProxyShell vulnerabilities to access the same Exchange server and remove a web shell. On December 1, the attacker used a compromised local administrator account to download and install Cobalt Strike beacons on a communications server, then executed PowerShell scripts to spread laterally across the network. Within days, a compromised administrator account was used to siphon files from a main file server using RDP, after which a Chrome browser was installed to help exfiltrate around 10 GB of data. The Conti ransomware was deployed the following day (December 4) and encrypted the institution’s files.
“Karma took the time to pick and choose the data – it was on the network for a longer period of time,” Gallagher noted. “Once they found out it was a healthcare organization, they decided to do just one extortion” for the stolen data and not add any ransomware.
“Conti just wanted enough data to use as additional blackmail, then encrypted everything. Their focus was coming fast and doing damage.
To the best of its knowledge, the organization has now resumed operations. He did not know if ransoms were paid.
ProxyShell consists of three vulnerabilities which, chained together, allow a remote attacker to execute code on an unpatched server. Microsoft released patches in April and May 2021 to fix the holes.
However, a number of organizations took their time applying the patches. In August, after the release of a proof-of-concept exploit, a wave of attacks on Exchange servers began. One of the first groups to sound the alarm was researchers at Huntress Labs, who issued a warning on August 19.and.
Despite network monitoring and some malware defenses, according to the Sophos report, the two attackers in this case were able to largely achieve their tactical goals. Only a few systems had malware protection at the time of Conti’s attack because the healthcare provider hadn’t had time to deploy it yet. In the rare cases where Malware Protection was deployed, Ransomware Protection detected Conti launching. But, according to the report, the ransomware was largely executed from unprotected servers.
Between the two attacks, a number of things went wrong: the Exchange server was not patched against these vulnerabilities; local administrator accounts were compromised and privileges were increased, including one that was brutally forced; and RDP was used for remote access.
Having endpoint protection on servers, multi-factor authentication to protect accounts and behavioral analysis software, as well as preventing PowerShell from running scripts could have stopped these attacks, Gallagher said. .
“Part of the problem was the lack of defense in depth. You can tell it was a mistake that they hadn’t fixed the [Exchange] server. There are many organizations – especially healthcare organizations – that are in a similar boat: their IT staff is stretched. The biggest problem is that they had minimal defenses against malware and lateral movement. They had Windows Defender on some endpoints. They didn’t really have any malware protection on the servers. It’s a common problem: either people assume that servers are safe because you don’t view web pages or download and view emails on them, or they think that malware protection is causing issues that reduce application performance. But it does mean that malware can use servers as a safe haven to run on the network and attack malware-protected systems via remote network shares.
The attacks were preventable, he said, “but unfortunately, we frequently see this scenario occur, where an organization has not fully prepared its environment to be protected against modern threats. Many people think that malware is something you receive in emails or when you visit a bad website. They do not think of attacks using vulnerabilities in services accessible on the Internet.